Vital data used to protect against cyberattacks is missing from more than 2,000 of the latest entries in the world's most widely used vulnerability database.
A significant number of new CVEs added to the National Vulnerability Database in recent weeks have lacked enrichment data - details necessary for researchers and security teams to understand the bugs.
The NVD was established in 2005 by the U.S. National Institute of Standards and Technology and last year alone, information on more than 29,000 discovered flaws was added to the database.
A notice added to the NVD homepage on Feb. 15 said users could expect temporary delays in the posting of CVE analysis.
According to NetRise, only about 8% of the CVE entries added to the database since Feb. 12 have a CPE associated with them.
Enrichment was lacking from well over 2,000 entries according to separate analysis carried out by Anchore and Jerry Gamblin of Cisco Threat Detection & Response.
NIST has not provided any public explanation for the situation beyond its website notice.
VulnCheck security researcher Patrick Garrity noted on LinkedIn that the institute recently experienced its first budget cut in over a decade.
The volume of CVEs published each year has almost doubled from under 15,000 in 2017 to over 29,000 in 2023.
Vulnerability management tools depend on NVD. Chainguard CEO Dan Lorenc highlighted the lack of CPE matching to new vulnerabilities as being particularly problematic for organizations dependent on NVD data as part of their security efforts.
John Pescatore, SANS Technology Institute director of emerging security trends, drew a comparison between cybersecurity and road safety.
This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 19 Mar 2024 15:13:06 +0000