Heimdal
article featured image

Contents:

NIST’s National Vulnerability Database (NVD) stopped enriching with information most of the CVEs they register.

Although they also consider other factors when deciding what to patch first, companies worldwide rely on NVD`s collection of vulnerability data for their research.

For the past 2020, the National Vulnerability Database added the following information to vulnerabilities that got a CVE ID:

  • an estimated severity score, through the Common Vulnerability Scoring System (CVSS)
  • the vulnerability types – Common Weakness Enumerations (CWE)
  • data about which versions and products the CVE impacts (CPE entries)
  • information about the vulnerability’s functionality
  • information about how hackers can exploit the CVE
  • links to advisories

According to the NVD website:

This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

How could a lack of details on CVEs impact security?

NIST’s National Vulnerability Database is a critical resource that organizations use to identify and close vulnerabilities in their systems. While it is not the only source of information or the only factor to be considered when assessing vulnerabilities and prioritizing patching, NVD offers valuable information.

The problem is you have less visibility regarding how a certain CVE might affect you.

When assessing what vulnerability to patch first, you consider various factors, most of which depend on the company’s specifics. You don’t make that decision based on the CVSS score alone.

However, you need to know what a vulnerability can do, and how can hackers use it in their attacks.

So, the information in NIST’s NVD is still one of the most valuable intelligence sources.

, says System Administrator Alexandru Panait.

For example, in absence of Common Product Enumerators (CPE) details, IT teams will not know which of the software on their devices could be vulnerable and needs patching. They will only know that a CVE exists and nothing more. So, vulnerability management will be a harder process for them.

Why did NVD stop updating data on CVEs?

Starting February 12th, NVD began publishing CVEs without any analysis. Until now, there are more than 2500 of them, which is around 40% of all the CVEs registered since the beginning of 2024.

It is not clear why the National Vulnerability Database slowed down enriching information on CVEs. The only information is a banner that appeared on February 15th, stating that:

NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.

nvd notice

Source – the NVD website

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

 

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE