With the first half of 2023 over, I figured I would take some time and review the data and highlight some of the most interesting data points so far this year. This GitHub repo contains the code for all the data and graphs this blog uses.
By The Numbers
So far this year, there have been 14,129 published CVEs. On average, there were 78.06 CVEs published per day. So far, March is the month with the most CVEs published, with 2,519 or 17.8% of all CVEs for the year.
January 26th had the most CVEs published in a single day, with 348 or 2.46% of all CVEs.
CVEs By Month
Month | CVEs | Percentage |
January | 2338 | 16.5 |
February | 2123 | 15.0 |
March | 2519 | 17.8 |
April | 2335 | 16.5 |
May | 2420 | 17.1 |
June | 2394 | 16.9 |
CVSS
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score from 0.0 to 10.0, reflecting its severity. The average CVSS score this year was 7.13.
So far this year, 18 CVEs scored a “perfect” 10.0.
CVE-2023-21928, a vulnerability in Oracle Solaris, had the lowest score of 1.8.
CPE
Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages to help identify vulnerable software identified in a CVE.
So far this year, there have been 1,610 unique CPEs identified in CVEs. The most common was cpe:2.3:o:google:android:12.0:*:*:*:*:*:*:*
that was applied to 309 CVEs
CVE-2023-20027, a vulnerability in Cisco IOS XE, is the CVE with the most CPEs with 190 unique, vulnerable configurations.
CNA
CVE Numbering Authorities (CNAs) are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their specific scopes of coverage.
Today there are 303 CNAs. So far this year, 198 unique assigners have published a minimum of 1 CVE. To make this confusing, 147 CNAs have not posted a CVE this year, and 124 CNAs not listed as an assigner published at least one CVE.
Top CNAs
The Top 5 CNAs so far this year:
VulDB
Github
PatchStack
WPScan
Microsoft
Four of the top five CNAs this year, excluding Microsoft, were purpose-built to report CVEs for various projects.
CWE
CWE is a community-developed list of software and hardware weakness types. It is a common language, a measuring stick for security tools, and a baseline for weakness identification, mitigation, and prevention efforts.
There are 1332 CWEs, and so far this year, 221 have been assigned to CVEs. CWE-79 was the most assigned CWE and was assigned 2415 times or to 17.09% of all CVEs. NVD didn’t assign a CWE 1819 times or to 12.87% of all CVEs.
Notes
- All data and graphs for this blog post were created using the jupyter notebooks in the GitHub Repo.
- Rejected CVEs have been removed from the dataset because some CNAs publish and reject any unused reserved CVE IDs causing an artificially inflated record count.
- CVE.ICU is a jupyterbook site that I run that has real-time CVE information throughout the year.