The new report believes that the existing CVSS vulnerability scoring system is inadequate: ignoring the actual situation, 6 of the top 10 vulnerabilities last year were overrated. 02/21 Update SLTechnology News&Howtos

The new report believes that the existing CVSS vulnerability scoring system is inadequate: ignoring the actual situation, 6 of the top 10 vulnerabilities last year were overrated.

2025-02-21 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > IT Information >

Shulou(Shulou.com)11/24 Report--

CTOnews.com February 14 news, according to the latest report released by the security agency JFrog attack, for the 2022 CVE high-risk vulnerabilities, in-depth analysis of the DevOps and DevSecOps team the most impact of open source security vulnerabilities.

Of the top 10 CVE vulnerabilities reported in 2022, six were overestimated. This means they score higher in the NVD rating than JFrog's own analysis. In addition, the most common CVE in the enterprise is a low-severity problem that simply cannot be resolved.

The report states that it takes approximately 246 days for an enterprise to fix a security issue, and most organizations have limited resources, so it is critical for enterprises to correctly identify the most serious vulnerabilities and prioritize mitigation measures.

JFrog's analysis is based on real anonymous data from JFrog Artifactory, whose software repository is used by more than 7000 customers worldwide to securely manage artifacts, binaries, and other items in the software supply chain. This anonymized data provides a view of what leading companies are doing in the real world, revealing the issues most likely to affect software companies worldwide.

Shachar Menashe, senior director of security research at JFrog, said:

The current CVSS system is flawed, and vulnerability scores cannot always be truly verified before release. Most of the vulnerabilities detailed in this report are harder to exploit than those reported and therefore do not merit a high NVD severity rating.

Vulnerability should be assessed through real-world impact and real-world situational analysis. How does the exploitability of CVE in your website affect the local environment?

When CNA assigns newsworthy but unwarranted high criticality levels, it is unreasonable and causes organizations to waste valuable time and resources mitigating vulnerabilities that are highly unlikely to have any real impact on their systems.

Interested CTOnews.com users can go here for the full report.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.