Real-world analysis finds the severity of many CVEs is overrated

No Comments

The latest report from JFrog looks at the most prevalent vulnerabilities in 2022 with an in-depth analysis of open source security vulnerabilities that have most impact for DevOps and DevSecOps teams.

The report shows that the severity of six of the top 10 CVEs was overrated, meaning they scored higher in the NVD rating than in JFrog's own analysis. In addition the CVEs appearing within enterprises most frequently are low-severity issues that were simply never fixed.

Of the top 50 prevalent CVEs found in Artifactory, 64 percent were overrated, 26 percent were equal, and 10 percent were actually underrated.

It takes roughly 246 days to remediate a security issue and most organizations have limited resources, so the ability to correctly identify and prioritize mitigation of the most severe vulnerabilities is crucial.

JFrog's analysis is based on real-world, anonymized data from JFrog Artifactory, the company's software repository used by more than 7,000 global customers to securely manage artifacts, binaries, and other items in the software supply chain. This anonymized data provides a view of real-world usage by leading companies, revealing the issues that are most likely to affect software companies worldwide.

"The current CVSS system is flawed since vulnerability scores are not always truly verified before published," says Shachar Menashe, senior director, security research at JFrog. "The majority of the vulnerabilities detailed in this report were harder to exploit than reported, and so were undeserving of their high NVD severity rating. Vulnerabilities should be assessed by both real-world impact as well contextual analysis -how exploitable is the CVE in your local environment? It is unconscionable when CNAs assign a high criticality that is newsworthy but unfounded, causing organizations to waste valuable time and resources to mitigate a vulnerability that is extremely unlikely to have any real-world impact on their systems."

You can find out more on the JFrog site.

Image credit: nicescene/depositphotos.com

No Comments

Comments are closed.

Got News? Contact Us

Recent Headlines

TUXEDO Stellaris 17 (Gen6): A high-performance portable Linux workstation

New solution helps companies prepare for 90-day TLS standard

Get 'Enterprise Transformation to AI and the Metaverse' (worth $59.99) for FREE

Best Windows apps this week

All you wanted to know about passkeys but were afraid to ask

Microsoft tells users 'if you want to fix 0x80070643 errors, you'll have to do it yourself'

Identity and permissions present a major security challenge

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.1

75 Comments

The stunning Windows 13 -- yes, 13! -- is the Microsoft operating system we want

23 Comments

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

21 Comments

Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

18 Comments

Windows 11 slammed for its 'comically bad' performance even on high-end hardware

18 Comments

Microsoft is up to its old tricks yet again -- Windows 10 users harassed with full-screen Windows 11 upgrade warnings

18 Comments

Microsoft releases preview version of Office 2024 for Windows and macOS -- download it now!

17 Comments

EndeavourOS ARM discontinued: A huge loss for the Linux community

9 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.