CVSSv2 score of 10, but no CVSv3 score

Question

We are working on our Vulnerability Management process and as part of that, I was going through the reports from our infrastructure vulnerability scanner. In the reports, I noticed that some of the CVEs does not have a CVSSv3 score, but they have a CVSSv2 score. Eg: CVE-2008-6536.

What does that mean? Does it mean that if we are planning to handle our vulnerabilities based on CVSSv3 score, then we don't have to consider CVE-2008-6536? This particular CVE has a CVSSv2 score of 10, but it says 'Not Applicable' under CVSSv3.

score 1 · Accepted Answer · answered Aug 13 '20 at 07:50

1

CVSS v3 was released in 2015 so vulnerabilities prior to that were only rated according to the then-current CVSS v2. Also, my guess would be that "N/A" in this context stands for "not available" instead of "not applicable".

Of course, you should consider CVEs prior to 2015.

answered Aug 13 '20 at 07:50

SeeYouInDisneyland

1,428
9
20

That makes sense and looks correct. Thank you. – Sreeraj Aug 13 '20 at 08:09

CVSSv2 score of 10, but no CVSv3 score

1 Answers1