Open
Description
You seem to to create CVSS v4 scores for some advisories as I found out in #5032.
I condensed the original discussion into this issue.
There are some problem with that, here is a quick recap:
- This is only done for certain CVEs, not all
- The process how these CVSS v4 values are created is not transparent
- There is no (public) documentation that this is done, how this is done and why it is done
- Likely no communication with CVE creators / CVSSv4 values do not match CVE descriptions (usually only contains CVSS v3 score explanation)
- Created CVSS v4 are not marked as "computed from CVSSv3 by GitHub" or something similar anywhere
- Original CVSS score is not used for computing the
severity
Please have a look at the original discussion for more details.
Anyway this process seems to result in incorrect scores (some values do not match at all) and incorrect severity values, thus also resulting in False Postives and Negatives in downstream scanners that utilize the database with severity filters.
Spontaneously found examples:
| CVE | CVSS v3 (original) | CVSS v4 created by GitHub (used in severity) |
Note |
|---|---|---|---|
| 5.5 moderate | 7.0 High | See #5032 | |
| CVE-2024-53848 | 7.1 High | 6.1 Moderate | Vulnerable System Impact Metrics seem to be missing |
| CVE-2024-52806 | 8.3 High | 6.9 Medium | Vulnerable System Impact Metrics seem to be missing |
| CVE-2024-51132 | 9.8 Critical | 8.8 High | Subsequent System Impact Metrics seem to be missing |
| CVE-2024-43499 | 7.5 High | 0.0 Low | CVSSv3 is not present in database but was declared in CVE? Not sure what's going on here... |
| CVE-2024-50379 | 9.8 Critical | 7.2 High | Subsequent System Impact Metrics seem to be missing |
The overall current situation erodes (my) trust in this - security critical - system as distinguishing between correct and incorrect scores is no longer easily possible.
Further references:
Metadata
Assignees
Labels
No labels