Am 23.10.24 um 11:10 schrieb Dr. Christopher Kunz:
while OpenSSL rates this issue as "low severity", SuSE assesses it as
"moderate", with a CVSS 3.1 of 7.0
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H).
I'm curious about these two quite different assessments. Could OpenSSL
and SuSE maybe elaborate a little?
FWIW,
both parties answered off-list (I needed an answer during the german
business day and got held up by moderation).
The difference is that OpenSSL does not adhere to CVSS-style risk
assessment, but assesses the severity of the bug together with the
likelihood of exploitation. Due to the latter being extremely low, the
overall assessment is "low".
SuSE, however, used vanilla CVSS3.1 assessment which does not include
exploitability metrics beyond "AC:H".
That explains the different scores.
Best regards,
--cku
