We are working on our Vulnerability Management process and as part of that, I was going through the reports from our infrastructure vulnerability scanner. In the reports, I noticed that some of the CVEs does not have a CVSSv3 score, but they have a CVSSv2 score. Eg: CVE-2008-6536.
What does that mean? Does it mean that if we are planning to handle our vulnerabilities based on CVSSv3 score, then we don't have to consider CVE-2008-6536? This particular CVE has a CVSSv2 score of 10, but it says 'Not Applicable' under CVSSv3.