A recent report from Rezilion has shed light on some noteworthy vulnerabilities found in the first half of 2023 and provided recommended remediation strategies.
The vulnerabilities span various sources, including development processes, open source software and supply chains.
One such vulnerability regards Apache Superset (CVE-2023-27524). With Common Vulnerability Scoring System (CVSS) 9.8, the critical flaw exposed organizations to unauthorized access due to the use of default configurations.
Additionally, PaperCut (CVE-2023-27350) and Fortinet FortiOS (CVE-2022-41328) vulnerabilities allowed attackers to bypass authentication and execute code with system privileges. They had CVSS 9.8 and 7.1 scores, respectively.
The JsonWebToken vulnerability (tracked CVE-2022-23529) is also mentioned in the report. The flaw was a significant concern, initially assigned a high CVSS score of 9.8.
However, upon closer examination and thorough analysis, the severity of this vulnerability was reevaluated and subsequently retracted. This highlights the critical role of meticulous scrutiny and active community involvement in ensuring precise assessments and effective mitigation strategies.
Another vulnerability mentioned in the report (tracked CVE-2023-28858) had a CVSS score of 3.7 and affected the Open AI ChatGPT service, resulting in a leak of user data.
Read more on this flaw: ChatGPT Vulnerability May Have Exposed Users’ Payment Information
“Although the CVSS score for this vulnerability is relatively low, it gained attention due to the increasing reliance on AI services across industries,” explained Callie Guenther, cyber threat research senior manager at Critical Start.
“Security teams should give it attention, as even low-severity vulnerabilities in critical services can have significant consequences,” Guenther said.
To stay resilient against evolving cyber threats, the report says security leaders and teams must remain informed about the latest vulnerabilities and take proactive measures to mitigate the associated risks.
“Coming up with a list of the ‘most significant’ vulnerabilities is often a challenge,” explained Mike Parkin, senior technical engineer at Vulcan Cyber.
The security expert also emphasized the importance of considering various factors when evaluating the severity of an exploit, such as the number of targets affected.
“The bottom line is that if a CVE applies in your environment, you need to address it. If the CVE has exploits in the wild, you need to address it now,” Parkin added.
By understanding these vulnerabilities and implementing recommended fixes, organizations can fortify their defenses and protect against potential damages.