Full Report
NIST marks CVEs pre-2018 as “Deferred” in the NVD as agency focus shifts to managing emerging threats
Analysis Summary
This article discusses a procedural change made by the National Institute of Standards and Technology (NIST) regarding the management of the National Vulnerability Database (NVD) entries, rather than detailing a specific technical security vulnerability. Therefore, the structured breakdown will reflect the administrative nature of the information provided in the source text.
# Vulnerability: NVD Backlog Management - Deferral of Pre-2018 CVEs
This entry summarizes the administrative action taken by NIST regarding older CVE records, not a patchable software flaw summary.
## CVE Details
- CVE ID: N/A (This is a procedural announcement affecting **all CVEs published before January 1, 2018**)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: All entries in the National Vulnerability Database (NVD) published prior to January 1, 2018.
- Versions: N/A
- Configurations: N/A
## Vulnerability Description
NIST has initiated a process to mark all Common Vulnerabilities and Exposures (CVEs) assigned before January 1, 2018, as **_Deferred_** within the NVD system. This action is being taken to help NIST manage a significant and growing data enrichment backlog. Deferred CVEs will no longer be prioritized for enrichment data updates unless they are specifically listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. Over 20,000 entries have already been impacted by this shift.
## Exploitation
- Status: Not Applicable (This is a database management action, not a technical vulnerability).
- Complexity: N/A
- Attack Vector: N/A
## Impact
- Confidentiality: N/A
- Integrity: N/A
- Availability: N/A (The impact is on data completeness and enrichment timeliness within the NVD, not system security).
## Remediation
### Patches
- **NIST is developing new systems** to process incoming data more efficiently to address the underlying backlog issue.
### Workarounds
- **For Security Teams:** Security teams should note that older CVEs now lack updated details unless they are on the CISA KEV list. Reliance on NVD enrichment data for pre-2018 vulnerabilities may be reduced.
## Detection
- **Indicators of Compromise:** N/A
- **Detection methods and tools:** NIST will add banners to the affected CVE pages in the NVD to indicate the 'Deferred' status.
## References
- Vendor Advisories: NIST / NVD Documentation (Not linked directly as per instruction)
- Relevant links:
- [infosecurity-magazine com/news/nist-vulnerability-database/](infosecurity-magazine com/news/nist-vulnerability-database/)