1

I need clarifications regarding CVSS:

  1. What is better for the references? CVSSv2 or CVSSv3? V3 is new, but V2 is mature.

  2. Why there are differences in CVSS scores between NVD NIST repository and Red Hat repository?

For example:

https://access.redhat.com/security/cve/cve-2016-7167 CVSS v2: 4.3

https://nvd.nist.gov/vuln/detail/CVE-2016-7167 CVSS v2: 7.5

schroeder
  • 123,438
  • 55
  • 284
  • 319
Michael
  • 1,457
  • 1
  • 18
  • 36

3 Answers3

3

CVSS is a scoring system, it is subjective and is open to interpretation by the person scoring the vulnerability, if you look at the two scores you'll see that one rates high confidentiality impact and one rates none.

On which one to use, there is no real right answer here, it's what's right for you. In my organisation we use version 3, this guide from Acunetix might help you make up your mind. Acunetix CVSS version guide

iainpb
  • 4,142
  • 2
  • 16
  • 35
2

The scores are different, because this vulnerability is differently understood. In case of Red Hat, they suggest that the vulnerability can only be used to crash the application. In case of NVD, they suggest that the vulnerability can be used to execute arbitrary code.

According to the vendor’s advisory, NVD was wrong to assume RCE. The vulnerability cannot be used to execute arbitrary code, only DoS.

As for CVSSv2 and v3 - there is no such thing as mature scoring system. CVSSv3 was introduced to eliminate “inconsistencies”, caused by CVSSv2 scoring and it had partial success. Both scoring systems are far from perfect (my opinion).

hft
  • 4,910
  • 17
  • 32
Valery Marchuk
  • 546
  • 2
  • 6
  • Ok, so what repository to use to realize the correct score? the vendor repository? – Michael Sep 07 '17 at 06:25
  • I cannot answer your question, because we are people and people make mistakes. Vendors usually do not post CVSS scores and even if they do, they make mistakes. Why do you need these scores? – Valery Marchuk Sep 07 '17 at 07:36
  • @ValeryMarchuk One usage is to classify an issue as llow/moderate/high priority. For instance, RCE or Remote denial of service should be fixed in two days.. or all issues with CVSS score higher than 7.0, should be applied immediately..and so on – VP. Feb 17 '18 at 19:14
0

CVSSv3 introduces changes in the scoring system that reflect more accurately vulnerabilities on Web applications and virtualized environments (i.e guest escape)

While all three metric groups, the Base Score, the Temporal Score and the Environmental Score remained the same, new metrics such as Scope (S) and User Interaction (UI) were added including old metrics such as Authentication (Au) being changed to newer ones such as Privileges Required (PR).

The Environmental Metrics group got a new addition with the Modified Base Metrics, allowing us to customize the CVSS scores based on the host that has been affected, making it contextual if so required.

VP.
  • 1,043
  • 1
  • 11
  • 12