CVE Explained
Hassassin,
Mar 16
2023
Cyber Apocalypse is an apocalypse-themed hacking event that we host for the cybersecurity community. In celebration of this year’s event, which takes players on a mission through space and time with 40+ hacking challenges, we analyzed the 99 most searched vulnerabilities and exposures (CVEs) reported in 2022.
So what do CVEs have to do with saving the earth from a group of intergalactic attackers?
CVEs are identifiers given to publicly disclosed information security flaws, and attackers can use them to exploit vulnerable systems. Knowing about 2022’s common vulnerabilities and exploits can therefore help you safeguard against them (and prevent a fictitious apocalypse!).
Join Cyber Apocalypse 2023
Learn new techniques from content creators during the pre-event talks while they solve live challenges and share tips and tricks for Cyber Apocalypse 2023.
Win big. This year's prizes include HTB training services for teams, tons of swag, and more.
Gain glory! Get your team's name on top of the scoreboard and show everyone how it's done.
Before we share the data, some background:
Approximately 25,227 CVEs were submitted in 2022. We, however, look at 99 of the most popular vulnerabilities—based on the number of global searches each CVE generated (sourced from keyword research tool, Ahrefs).
CVEs can be mapped to many vulnerability classes depending on how you categorize them. To keep things simple and share this data, we mapped them to OWASP’s list of vulnerabilities. This includes the OWASP Top 10 and the OWASP A11 list. (The A11 list defines vulnerabilities that are not in the OWASP Top 10, like Memory Management Errors).
Of the highest searched CVEs reported in 2022, Injection, Memory Management, and Insecure Design were the top three vulnerability types. Speaking of vulnerability categories:
39% of the CVEs were mapped to the Injection category: Injection vulnerabilities allow an attacker to relay malicious code through an application to another system. Common examples include OS command injections, SQL injections, and cross-site scripting (XSS).
24% of the CVEs were mapped to the Memory Management Errors category: Memory Management Errors relate to programming languages that are non-memory safe. This means when exploited, they allow an attacker to overwrite the memory of an application and influence a system. Common examples include buffer and heap overflows.
16% of the CVEs were mapped to the Insecure Design category: Insecure Design is a broad category related to structural vulnerabilities or a lack of appropriate safeguards during software design.
CVE-2022-22965: The most popular CVE reported in 2022 (also known as Spring4Shell) is an extremely high-impact Injection vulnerability in Spring Framework that allows attackers to make changes remotely to a target system.
CVE-2022-1388: An Identification and Authentication Failure vulnerability that enables an unauthenticated attacker with network access to remotely execute commands on a target system.
CVE-2022-30190: An Injection vulnerability (also known as Folina) in which the Microsoft Windows Support Diagnostic Tool (MSDT) MSDT is called using the URL protocol from a calling application such as Word.
CVE-2022-26809: An Injection vulnerability that allows an unauthorized attacker can to send a specially crafted Remote Procedure Call (RPC) to remotely execute arbitrary code on a victim’s device.
CVE-2022-0847: An Injection vulnerability (also known as Dirty Pipe) related to the new pipe buffer structure in the Linux Kernel that allows an unprivileged local user to use this flaw to write to pages in the page cache backed by read-only files, and as a result, escalate their privileges on a system.
CVE-2022-0778: A Cryptographic Failure vulnerability that causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can allow an attacker to trigger a Denial-of-Service (DoS).
CVE-2022-1096: An Injection vulnerability that uses type confusion in V8 in Google Chrome (prior to version 99.0.4844.84) to allow an authorized attacker to remotely read and write data on a victim’s machine.
CVE-2022-22963: An Injection vulnerability in the routing functionality of Spring Cloud Function that allows an attacker to arbitrarily run commands or code on a compromised system.
CVE-2022-21449: A Broken Access Control vulnerability that allows an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
CVE-2022-26925: An Identification and Authentication Failure vulnerability that allows unauthenticated attackers to remotely exploit and force domain controllers to authenticate them via the Windows NT LAN Manager (NTLM) security protocol.
CVE |
Global volume |
OWASP vulnerability type |
21,000 |
Injection |
|
20,000 |
Identification and Authentication Failures |
|
14,000 |
Injection |
|
13,000 |
Injection |
|
13,000 |
Injection |
|
12,000 |
Cryptographic Failures |
|
9,200 |
Memory Management Errors |
|
9,100 |
Injection |
|
8,600 |
Broken Access Control |
|
6,400 |
Identification and Authentication Failures |
|
5,300 |
Injection |
|
5,200 |
Injection |
|
4,700 |
Injection |
|
3,900 |
Memory Management Errors |
|
3,400 |
Insecure Design |
|
3,300 |
Memory Management Errors |
|
3,300 |
Identification and Authentication Failures |
|
3,200 |
Injection |
|
3,200 |
Insecure Design |
|
3,000 |
Injection |
|
2,800 |
Insecure Design |
|
2,800 |
Injection |
|
2,600 |
Injection |
|
2,600 |
Vulnerable and Outdated Components |
|
2,600 |
Insecure Design |
|
2,600 |
Identification and Authentication Failures |
|
2,500 |
Injection |
|
2,400 |
Memory Management Errors |
|
2,200 |
Injection |
|
2,100 |
Injection |
|
2,100 |
Security Misconfiguration |
|
2,100 |
Injection |
|
1,900 |
Broken Access Control |
|
1,900 |
Injection |
|
1,900 |
Insecure Design |
|
1,900 |
Identification and Authentication Failures |
|
1,800 |
Memory Management Errors |
|
1,700 |
Identification and Authentication Failures |
|
1,700 |
Insecure Design |
|
1,700 |
Security Misconfiguration |
|
1,700 |
Injection |
|
1,600 |
Insecure Design |
|
1,600 |
Injection |
|
1,500 |
Memory Management Errors |
|
1,400 |
Injection |
|
1,400 |
Insecure Design |
|
1,400 |
Memory Management Errors |
|
1,400 |
Memory Management Errors |
|
1,400 |
Injection |
|
1,300 |
Insecure Design |
|
1,200 |
Injection |
|
1,200 |
Injection |
|
1,200 |
Injection |
|
1,200 |
Memory Management Errors |
|
1,200 |
Insecure Design |
|
1,200 |
Identification and Authentication Failures |
|
1,100 |
Injection |
|
1,100 |
Identification and Authentication Failures |
|
1,100 |
Memory Management Errors |
|
1,100 |
Identification and Authentication Failures |
|
1,100 |
Identification and Authentication Failures |
|
1,100 |
Injection |
|
1,100 |
Insecure Design |
|
1,100 |
Memory Management Errors |
|
1,100 |
Injection |
|
1,100 |
Injection |
|
1,000 |
Injection |
|
1,000 |
Memory Management Errors |
|
1,000 |
Insecure Design |
|
1,000 |
Memory Management Errors |
|
1,000 |
Memory Management Errors |
|
900 |
Memory Management Errors |
|
900 |
Injection |
|
900 |
Injection |
|
900 |
Injection |
|
900 |
Insecure Design |
|
900 |
Identification and Authentication Failures |
|
800 |
Memory Management Errors |
|
800 |
Injection |
|
800 |
Injection |
|
800 |
Injection |
|
800 |
Memory Management Errors |
|
800 |
Memory Management Errors |
|
800 |
Injection |
|
800 |
Insecure Design |
|
700 |
Memory Management Errors |
|
700 |
Injection |
|
700 |
Injection |
|
700 |
Security Misconfiguration |
|
700 |
Insecure Design |
|
700 |
Memory Management Errors |
|
700 |
Memory Management Errors |
|
700 |
Injection |
|
600 |
Memory Management Errors |
|
600 |
Memory Management Errors |
|
600 |
Memory Management Errors |
|
600 |
Security Misconfiguration |
|
600 |
Insecure Design |
|
400 |
Identification and Authentication Failures |
We hope you enjoyed learning about some of the most popular security vulnerabilities and exploits from last year! If you're up for the challenge, join Cyber Apocalpyse 2023 to learn new techniques, meet other hackers, and push your skills to the limit.
Sign up for Cyber Apocalypse 2023
Alternatively, check out the Hack The Box Academy for guided cybersecurity training courses or our hacking Labs and Machines designed around emerging high-risk vulnerabilities and active threats in the cyber landscape.
Author bio: Hassan Ud-deen (hassassin), Content Marketing Manager, Hack The Box Hassan Ud-deen is the Content Marketing Manager at Hack The Box. He's fascinated by cybersecurity, enjoys interviewing tech professionals, and when the mood strikes him occasionally tinkers within a Linux terminal in a dark room with his (HTB) hoodie on. #noob. Feel free to connect with him on LinkedIn. |
Blue Teaming
Odysseus (c4n0pus), Dec 20, 2024