The number of organizations named a CVE Numbering Authority (CNA) and the number of Common Vulnerabilities and Exposures (CVE) identifiers assigned in 2023 has increased compared to the previous year.
According to Jerry Gamblin, principal engineer at Cisco Threat Detection & Response, 28,902 CVEs were published in 2023, up from 25,081 in 2022. This is an average of nearly 80 new CVEs per day. The number of published CVEs has been steadily increasing since 2017.
In terms of severity, the average CVSS score of the 2023 CVEs was 7.12, with 36 vulnerabilities being assigned a score of 10.
According to data from the CVE Program, which is maintained by MITRE and sponsored by the US government, the number of new CNAs announced in 2023 increased to 84, from 56 in 2022. Currently, there are nearly 350 CNAs from 38 countries.
CNAs are vendors, cybersecurity companies and other organizations that are allowed to assign CVE identifiers to vulnerabilities found in their own products and/or the products of others.
The list of new CNAs includes independent hacking groups such as Austin Hackers Anonymous; software organizations such as ServiceNow and Open Design Alliance; hardware makers such as Schweitzer Engineering Laboratories, AMI, Moxa, Phoenix Technologies and Arm; government agencies such as National Cyber Security Centre Finland (NCSC-FI); cybersecurity firms such as Mandiant, Checkmarx, Otorio, VulnCheck, CrowdStrike, SEC Consult, Illumio and HiddenLayer; and printing giants Lexmark, Canon (EMEA) and Xerox.
Gamblin noted that 250 CNAs published at least one CVE in 2023. The top CNAs were Microsoft, VulDB, GitHub, and WordPress security companies WPScan and PatchStack. VulDB, GitHub, WPScan and PatchStack assigned a total of more than 6,700 CVEs last year.
The most commonly assigned type of Common Weakness Enumeration (CWE) identifier was CWE-79, improper neutralization of input during web page generation, also known as cross-site scripting (XSS). Over 4,100 CVEs were assigned to XSS vulnerabilities last year.
XSS was followed at a distance by SQL injection vulnerabilities, with roughly 2,000 security holes in this category.
Related: Google Announces New Rating System for Android and Device Vulnerability Reports
Related: In Other News: Ukraine Hacks Russia, CVE for Water ICS Attacks, New Intel Xeon CPUs
Related: Google Patches Six Vulnerabilities With First Chrome Update of 2024
