search

CVEProject / cvelistV5

CVE cache of the official CVE List in CVE JSON 5 format
616 stars 139 forks source link

missing metrics in CVE V5 records, while they exist in CVE V4 records #48

Closed lloydbates closed 2 months ago

lloydbates commented 2 months ago

There are are some CVE records in the new V5 that are missing any metrics.
Example: cves/2024/26xxx/CVE-2024-26603.json

In the corresponding CVE V4 record, this one exists: 

{
  "cve": {
    "data_type": "CVE",
    "data_format": "MITRE",
    "data_version": "4.0",
    "CVE_data_meta": {
      "ID": "CVE-2024-26603",
      "ASSIGNER": "cve@kernel.org"
    },
  "impact": {
    "baseMetricV3": {
      "cvssV3": {
        "version": "3.1",
        "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
        "attackVector": "LOCAL",
        "attackComplexity": "LOW",
        "privilegesRequired": "LOW",
        "userInteraction": "NONE",
        "scope": "UNCHANGED",
        "confidentialityImpact": "NONE",
        "integrityImpact": "NONE",
        "availabilityImpact": "HIGH",
        "baseScore": 5.5,
        "baseSeverity": "MEDIUM"
      },
      "exploitabilityScore": 1.8,
      "impactScore": 3.6
    }
  }
}

JSON shortend for readability. Source: https://nvd.nist.gov/vuln/data-feeds#JSON_FEED see archive for CVE-2024

This is just one example.

openmorse commented 2 months ago

You may be confusing the NVD with the CVE Program. They are different. The NVD adds data, in their own database, after they download from the CVE List:

There are no metrics for CVE-2024-26603 in v4 or v5 CVE List repos:

Here is v4 cvelist record

Here is v5 cvelist record

There are metrics added in the NVD data:

Here is NVD record

You can ask your questions about NVD metrics at their site:

https://nvd.nist.gov/info/contact-form

https://nvd.nist.gov/vuln/vulnerability-detail-pages

lloydbates commented 2 months ago

You are correct, it was my mistake. This issue can be closed.