Dave, On Sat, Aug 17, 2013 at 4:38 AM, Dave Aitel <[email protected]> wrote: > This is also true on the assessment side - small errors can add up to cloud > your situational awareness. For example, in the below referenced Twitter > stream you can see a penetration tester scanning a network using a > vulnerability assessment tool, which then marks a potential ColdFusion bug as > "medium". Part of this is because the National Vulnerability Database marked > it as having a CVSS score of 7.5, despite it being a remote, unauthenticated, > SYSTEM-level vulnerability.
CVSSv2 (and I would assume the upcoming release of CVSSv3 too) state that the [CVSS] Score is the calculation of the all the Base, Temporal and Environmental Metrics since ultimately its intention is to priorities the implementation of a patch and/or workaround. Therefore the Base Metric Score is not the overall CVSS Score. Also NVD defines both the Temporal and Environmental Metrics as "undefined" i.e. http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2010-2861&vector=(AV%3AN/AC%3AL/Au%3AN/C%3AP/I%3AP/A%3AP) which does not conform to CVSSv2. Of note too is that Environmental Metrics are scored by the end user only. The above issue isn't limited to NVD either e.g. http://www.osvdb.org/show/osvdb/67047 (yes I am aware that OSVDB is directly referencing NVD in this specific example) CVE-2010-2861 is listed as "remote, unauthenticated, SYSTEM-level vulnerability" on NVD too i.e. "(AV:N/AC:L/Au:N ..." and therefore their implementation of http://nvd.nist.gov/cvss.cfm?vectorinfov2 is correct too. -- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
