On Wed, Dec 06, 2006 at 02:45:43AM +0000, tech tech wrote:
Plugin: 17348 [Jetty < 4.2.19 Denial of Service] 1. The plugin defines severity as Medium. But in the scan report i found thar it is giving a high severity alert.
Earlier, risk levels were assigned somewhat arbitrarily -- basically, it was a judgment call by the plugin's author. And while we tried to have holes / warnings / notes correspond to risk factors of Critical or High / Medium / Low or None respectively, it didn't always happen.
For the past year, we've been using CVSS base scores -- http://www.first.org/cvss/cvss-guide.html -- for the assignment, although we still have to revisit many of the older plugins to update them.
This was one such plugin, and I've just calculated a base score for it and updated the plugin. According to this score, the vulnerability is a low risk one, and that is now reflected in the report.
2. I did the scan with Non DoS plugins. Even then nessus reported this vulnerability... is it a problem with the nessus client?
Nessus has both a denial of service plugin category as well as a denial of service plugin family. The category describes the possible effect of the plugin when you run it while the family is based on the vulnerability or vulnerabilities being covered by the plugin.
When you run in safe checks or enable non-DoS plugins in the NessusWX client, you're talking about plugin categories, that is, plugins that might crash the service or host or otherwise negatively impact it when you run it. Hope this clears up the confusion somewhat.
George -- [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
