{"id":3460,"date":"2025-06-01T15:30:56","date_gmt":"2025-06-01T14:30:56","guid":{"rendered":"https:\/\/aegislens.com\/home\/?p=3460"},"modified":"2025-06-01T15:30:56","modified_gmt":"2025-06-01T14:30:56","slug":"weekly-highlight-nists-new-vulnerability-metrics-proposal-and-the-discovered-flaws-in-nasas-open-source-software","status":"publish","type":"post","link":"https:\/\/aegislens.com\/home\/weekly-highlight-nists-new-vulnerability-metrics-proposal-and-the-discovered-flaws-in-nasas-open-source-software\/","title":{"rendered":"Weekly Highlight: NIST&#8217;s New Vulnerability Metrics Proposal and the Discovered Flaws in NASA\u2019s Open Source Software"},"content":{"rendered":"<p><h2>NIST\u2019s Novel Approach in Vulnerabilities Metric<\/h2>\n<p>The National Institute of Standards and Technology (NIST) has proposed a new metric designed to evaluate vulnerabilities and their potential exploitation.<\/p>\n<p>By using this approach, organizations can prioritize them based on their likelihood of being exploited.<\/p>\n<p>This happens by calculating the base score using the Common Vulnerability Scoring System (CVSS) which quantifies the severity and modulates scores based on the likelihood that vulnerabilities will be exploited.<\/p>\n<p>The CVSS is an industry-standard vulnerability metric that helps in assigning severity scores to vulnerabilities.<\/p>\n<p>It helps stakeholders prioritize their response activities and helps determine the urgency of the situation.<\/p>\n<p>The score is represented numerically on a scale of 0-10.<\/p>\n<p>However, the existing CVSS scoring system focuses more on potential impact rather than the likelihood of exploitation.<\/p>\n<p>This is where NIST&#8217;s new proposal can fill the gaps.<\/p>\n<p>By providing a real-time and dynamic evaluation of vulnerabilities, it can lead to a more adequately informed response and prevention of cyber threats.<\/p>\n<h2>Vulnerabilities in NASA&#8217;s Open Source Software<\/h2>\n<p>Security researcher, Leon Jurani\u0107, has discovered numerous vulnerabilities in NASA&#8217;s in-house open source software.<\/p>\n<p>These vulnerabilities could potentially be exploited by attackers to breach their systems.<\/p>\n<p>The affected system is named &#8216;NASA CFITSIO&#8217;, and it&#8217;s a library of C and Python functions that read and write data files in FITS (Flexible Image Transport System) data format. <\/p>\n<p>The primary concern here is that this software is not just used by NASA, but it is also widely used in astronomical community making telescopes and other satellite imagery software.<\/p>\n<p>An exploitation of these vulnerabilities could go beyond just NASA, impacting other organizations and entities globally.<\/p>\n<p>NASA has been informed about the vulnerabilities and it&#8217;s likely they&#8217;re working on patches as we speak.<\/p>\n<p>This incident serves as a crucial reminder that open source software, while cost-effective and flexible, can also pose significant cybersecurity concerns.<\/p>\n<p>Organizations that utilize such software should always adopt robust vulnerability management programs and maintain a strong security posture.<\/p>\n<h2>Follow-Up Reading<\/h2>\n<p>For more information on these topics, please check out the following articles:<\/p>\n<ol>\n<li><a href=\"https:\/\/nist.gov\/news\/vulnerability-metric\">NIST&#8217;s proposal on new vulnerabilities metric<\/a><\/li>\n<li><a href=\"https:\/\/threatleap.com\/nasa-vulnerabilities\">Details on vulnerabilities found in NASA&#8217;s open-source software by ThreatLeap<\/a><\/li>\n<li><a href=\"https:\/\/opensource.com\/article\/securing-open-source-software\">Securing open-source software<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>NIST\u2019s Novel Approach in Vulnerabilities Metric The National Institute of Standards and Technology (NIST) has<\/p>\n","protected":false},"author":1,"featured_media":3461,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"pmpro_default_level":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2,5],"tags":[],"class_list":["post-3460","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-news","pmpro-has-access"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/posts\/3460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/comments?post=3460"}],"version-history":[{"count":1,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/posts\/3460\/revisions"}],"predecessor-version":[{"id":3462,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/posts\/3460\/revisions\/3462"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/media\/3461"}],"wp:attachment":[{"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/media?parent=3460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/categories?post=3460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/tags?post=3460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}