Hi, There are discussion on the python-dev list about the ctypes CVE-2021-3177 vulnerability and its severity.
I discovered at https://nvd.nist.gov/vuln/detail/CVE-2021-3177 that there is a version 3 of the CVSS score. The ctypes CVE-2021-3177 got a score of 9.8 CRITICAL in its version 3, but a score of 7.5 HIGH in its version 2. Should we only display the score versioin 3? Or display both? On my python-security website, I use "http://cve.circl.lu/api/cve/<CVE number>" API which returns CVE data as JSON. It seems to provide CVSS score version 2. Example with CVE-2021-3177: "cvss": 7.5, "cvss-time": "2021-02-13T03:15:00", "cvss-vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", This score is rendered in the CVE section: https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html#cve-2021-3177 I found https://nvd.nist.gov/vuln/data-feeds list of APIs which returns data of *all* CVEs (per year) as JSON. Does someone know an API to retrieve CVE data as JSON of a single CVE which includes CVSS version 3? If anyone wants to help me, look at the "render_doc.py" script at: https://github.com/vstinner/python-security/ Victor -- Night gathers, and now my watch begins. It shall not end until my death. _______________________________________________ Security-SIG mailing list -- security-sig@python.org To unsubscribe send an email to security-sig-le...@python.org https://mail.python.org/mailman3/lists/security-sig.python.org/ Member address: arch...@mail-archive.com
