Top 25 der gefährlichsten Software-Schwachstellen 2022: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| − | = | + | *[[Die Common Weakness Enumeration (CWE)]] |
| + | |||
| + | =Basics= | ||
*Das Common Weakness Enumeration-Projekt hat die Liste für das Jahr 2022 der 25 gefährlichsten Softwareschwachstellen zusammengestellt. | *Das Common Weakness Enumeration-Projekt hat die Liste für das Jahr 2022 der 25 gefährlichsten Softwareschwachstellen zusammengestellt. | ||
*Die Liste soll die derzeit am meisten vorkommenden Lücken mit den gravierendsten Auswirkungen aufführen. | *Die Liste soll die derzeit am meisten vorkommenden Lücken mit den gravierendsten Auswirkungen aufführen. | ||
| Zeile 5: | Zeile 7: | ||
*Sie wendet sich an Softwarearchitekte, Designer, Entwickler, Tester, Nutzer, Projektmanager, Sicherheitsforscher, Ausbilder. | *Sie wendet sich an Softwarearchitekte, Designer, Entwickler, Tester, Nutzer, Projektmanager, Sicherheitsforscher, Ausbilder. | ||
=Schwachstellen= | =Schwachstellen= | ||
| − | {| class="wikitable" | + | {| class="wikitable" |
|- | |- | ||
! Platz | ! Platz | ||
| Zeile 12: | Zeile 14: | ||
|- | |- | ||
| 1 | | 1 | ||
| − | | [ | + | | [https://cwe.mitre.org/data/definitions/787.html CWE-787] |
| [[Out-of-bounds Write]] ([[Buffer-Overflow]]) | | [[Out-of-bounds Write]] ([[Buffer-Overflow]]) | ||
|- | |- | ||
| 2 | | 2 | ||
| − | | CWE-79 | + | | [https://cwe.mitre.org/data/definitions/79.html CWE-79] |
| Improper Neutralization of Input During Web Page Generation ([[Cross-Site-Scripting]]) | | Improper Neutralization of Input During Web Page Generation ([[Cross-Site-Scripting]]) | ||
|- | |- | ||
| 3 | | 3 | ||
| − | | CWE-89 | + | | [https://cwe.mitre.org/data/definitions/89.html CWE-89] |
| Improper Neutralization of Special Elements used in an SQL Command ([[SQL Injection]]) | | Improper Neutralization of Special Elements used in an SQL Command ([[SQL Injection]]) | ||
|- | |- | ||
| 4 | | 4 | ||
| − | | CWE-20 | + | | [https://cwe.mitre.org/data/definitions/20.html CWE-20] |
| Improper Input Validation ([[Command Execution]]) | | Improper Input Validation ([[Command Execution]]) | ||
|- | |- | ||
| 5 | | 5 | ||
| − | | CWE-125 | + | | [https://cwe.mitre.org/data/definitions/125.html CWE-125] |
| [[Out-of-bounds Read]] | | [[Out-of-bounds Read]] | ||
|- | |- | ||
| 6 | | 6 | ||
| − | | CWE-78 | + | | [https://cwe.mitre.org/data/definitions/78.html CWE-78] |
| Improper Neutralization of Special Elements used in an OS Command ('OS [[Command Execution]]') | | Improper Neutralization of Special Elements used in an OS Command ('OS [[Command Execution]]') | ||
|- | |- | ||
| 7 | | 7 | ||
| − | | CWE-416 | + | | [https://cwe.mitre.org/data/definitions/416.html CWE-416] |
| Use After Free | | Use After Free | ||
|- | |- | ||
| 8 | | 8 | ||
| − | | CWE-22 | + | | [https://cwe.mitre.org/data/definitions/22.html CWE-22] |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | ||
|- | |- | ||
| 9 | | 9 | ||
| − | | CWE-352 | + | | [https://cwe.mitre.org/data/definitions/352.html CWE-352] |
| Cross-Site Request Forgery (CSRF) | | Cross-Site Request Forgery (CSRF) | ||
|- | |- | ||
| 10 | | 10 | ||
| − | | CWE-434 | + | | [https://cwe.mitre.org/data/definitions/434.html CWE-434] |
| Unrestricted Upload of File with Dangerous Type ([[File Inclusion]]) | | Unrestricted Upload of File with Dangerous Type ([[File Inclusion]]) | ||
|- | |- | ||
| 11 | | 11 | ||
| − | | CWE-476 | + | | [https://cwe.mitre.org/data/definitions/476.html CWE-476] |
| [[NULL Pointer Dereference]] | | [[NULL Pointer Dereference]] | ||
|- | |- | ||
| 12 | | 12 | ||
| − | | CWE-502 | + | | [https://cwe.mitre.org/data/definitions/502.html CWE-502] |
| Deserialization of Untrusted Data | | Deserialization of Untrusted Data | ||
|- | |- | ||
| 13 | | 13 | ||
| − | | CWE-190 | + | | [https://cwe.mitre.org/data/definitions/190.html CWE-190] |
| Integer Overflow or Wraparound | | Integer Overflow or Wraparound | ||
|- | |- | ||
| 14 | | 14 | ||
| − | | CWE-287 | + | | [https://cwe.mitre.org/data/definitions/287.html CWE-287] |
| [[Improper Authentication]] | | [[Improper Authentication]] | ||
|- | |- | ||
| 15 | | 15 | ||
| − | | CWE-798 | + | | [https://cwe.mitre.org/data/definitions/798.html CWE-798] |
| Use of Hard-coded Credentials | | Use of Hard-coded Credentials | ||
|- | |- | ||
| 16 | | 16 | ||
| − | | CWE-862 | + | | [https://cwe.mitre.org/data/definitions/862.html CWE-862] |
| [[Missing Authorization]] | | [[Missing Authorization]] | ||
|- | |- | ||
| 17 | | 17 | ||
| − | | CWE-77 | + | | [https://cwe.mitre.org/data/definitions/77.html CWE-77] |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') | | Improper Neutralization of Special Elements used in a Command ('Command Injection') | ||
|- | |- | ||
| 18 | | 18 | ||
| − | | CWE-306 | + | | [https://cwe.mitre.org/data/definitions/306.html CWE-306] |
| Missing Authentication for Critical Function | | Missing Authentication for Critical Function | ||
|- | |- | ||
| 19 | | 19 | ||
| − | | CWE-119 | + | | [https://cwe.mitre.org/data/definitions/119.html CWE-119] |
| Improper Restriction of Operations within the Bounds of a Memory Buffer | | Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
|- | |- | ||
| 20 | | 20 | ||
| − | | CWE-276 | + | | [https://cwe.mitre.org/data/definitions/276.html CWE-276] |
| Incorrect Default Permissions | | Incorrect Default Permissions | ||
|- | |- | ||
| 21 | | 21 | ||
| − | | CWE-918 | + | | [https://cwe.mitre.org/data/definitions/918.html CWE-918] |
| Server-Side Request Forgery (SSRF) | | Server-Side Request Forgery (SSRF) | ||
|- | |- | ||
| 22 | | 22 | ||
| − | | CWE-362 | + | | [https://cwe.mitre.org/data/definitions/362.html CWE-362] |
| Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | ||
|- | |- | ||
| 23 | | 23 | ||
| − | | CWE-400 | + | | [https://cwe.mitre.org/data/definitions/400.html CWE-400] |
| Uncontrolled Resource Consumption | | Uncontrolled Resource Consumption | ||
|- | |- | ||
| 24 | | 24 | ||
| − | | CWE-611 | + | | [https://cwe.mitre.org/data/definitions/611.html CWE-611] |
| Improper Restriction of XML External Entity Reference | | Improper Restriction of XML External Entity Reference | ||
|- | |- | ||
| 25 | | 25 | ||
| − | | CWE-94 | + | | [https://cwe.mitre.org/data/definitions/94.html CWE-94] |
| Improper Control of Generation of Code ('Code Injection') | | Improper Control of Generation of Code ('Code Injection') | ||
|} | |} | ||
Aktuelle Version vom 9. Oktober 2022, 09:44 Uhr
Basics
- Das Common Weakness Enumeration-Projekt hat die Liste für das Jahr 2022 der 25 gefährlichsten Softwareschwachstellen zusammengestellt.
- Die Liste soll die derzeit am meisten vorkommenden Lücken mit den gravierendsten Auswirkungen aufführen.
- Sie soll helfen Risiken einzudämmen.
- Sie wendet sich an Softwarearchitekte, Designer, Entwickler, Tester, Nutzer, Projektmanager, Sicherheitsforscher, Ausbilder.
Schwachstellen
| Platz | ID | Beschreibung |
|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write (Buffer-Overflow) |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (Cross-Site-Scripting) |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) |
| 4 | CWE-20 | Improper Input Validation (Command Execution) |
| 5 | CWE-125 | Out-of-bounds Read |
| 6 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Execution') |
| 7 | CWE-416 | Use After Free |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type (File Inclusion) |
| 11 | CWE-476 | NULL Pointer Dereference |
| 12 | CWE-502 | Deserialization of Untrusted Data |
| 13 | CWE-190 | Integer Overflow or Wraparound |
| 14 | CWE-287 | Improper Authentication |
| 15 | CWE-798 | Use of Hard-coded Credentials |
| 16 | CWE-862 | Missing Authorization |
| 17 | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| 18 | CWE-306 | Missing Authentication for Critical Function |
| 19 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
| 20 | CWE-276 | Incorrect Default Permissions |
| 21 | CWE-918 | Server-Side Request Forgery (SSRF) |
| 22 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| 23 | CWE-400 | Uncontrolled Resource Consumption |
| 24 | CWE-611 | Improper Restriction of XML External Entity Reference |
| 25 | CWE-94 | Improper Control of Generation of Code ('Code Injection') |