Hi, I'm curious as to how the threat level is assigned in OpenVAS-6.
For example, in a scan report I find an entry for "Compaq WBEM Server Detection" (OID 1.3.6.1.4.1.25623.1.0.10746) which has a CVSS of 0.0 yet it is reported as a Medium threat. In the NVT source the risk factor is None. Is this classification change intentional or is it a software bug ? And how is the threat level in the report related to the risk factor in the NVT - are they just different names for the same concept ? Another example is the "FTP Server type and version" NVT (OID 1.3.6.1.4.1.25623.1.0.10092) - it is classified in a report as a Low threat with CVSS of 1.9 - what is the basis for such a classification and CVSS assignment for a (pure) product detection NVT (ie. no specific vulnerability is reported for the detected product) ? Best regards, Karol _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
