Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop creation of CVSS v4 by yourself #5058

Open
AB-xdev opened this issue Dec 5, 2024 · 0 comments
Open

Stop creation of CVSS v4 by yourself #5058

AB-xdev opened this issue Dec 5, 2024 · 0 comments

Comments

@AB-xdev
Copy link

AB-xdev commented Dec 5, 2024

You seem to to create CVSS v4 scores for some advisories as I found out in #5032.
I condensed the original discussion into this issue.

There are some problem with that, here is a quick recap:

  • This is only done for certain CVEs, not all
  • The process how these CVSS v4 values are created is not transparent
    • There is no (public) documentation that this is done, how this is done and why it is done
    • Likely no communication with CVE creators / CVSSv4 values do not match CVE descriptions (usually only contains CVSS v3 score explanation)
  • Created CVSS v4 are not marked as "computed from CVSSv3 by GitHub" or something similar anywhere
  • Original CVSS score is not used for computing the severity

Please have a look at the original discussion for more details.

Anyway this process seems to result in incorrect scores (some values do not match at all) and incorrect severity values, thus also resulting in False Postives and Negatives in downstream scanners that utilize the database with severity filters.

Spontaneously found examples:

CVE CVSS v3 (original) CVSS v4 created by GitHub (used in severity) Note
CVE-2024-47535 5.5 moderate 7.0 High See #5032
CVE-2024-53848 7.1 High 6.1 Moderate Vulnerable System Impact Metrics seem to be missing
CVE-2024-52806 8.3 High 6.9 Medium Vulnerable System Impact Metrics seem to be missing
CVE-2024-51132 9.8 Critical 8.8 High Subsequent System Impact Metrics seem to be missing
CVE-2024-43499 7.5 High 0.0 Low CVSSv3 is not present in database but was declared in CVE? Not sure what's going on here...
CVE-2024-50379 9.8 Critical 7.2 High Subsequent System Impact Metrics seem to be missing

The overall current situation erodes (my) trust in this - security critical - system as distinguishing between correct and incorrect scores is no longer easily possible.

Further references:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant