Closed amanion-cisa closed 1 week ago
Not directly related to the overall question, but I investigated CVE-2024-5274 carefully and believe the ADP vectors are correct. Per the CVSS 3.1 Specification, sandbox escape means S:C and also supports AC:H.
Since they're different teams and different analysis methods, I don't think it's a bug if NVD and Vulnrichment happen to disagree on a CVSS score. If either NVD or Vulnrichment happens to be incorrect, whoever believes they're more right can champion that cause in a future update. But out of the gate, it's okay to be divergent.
CVSS data from the Vulnrichment ADP container does not always agree with NVD CVSS data for. Is this a concern? Please document the intended behavior and review/change Vulnrichment CVSS data if necessary.
For example, CVE-2024-5274: https://nvd.nist.gov/vuln/detail/CVE-2024-5274 https://github.com/cisagov/vulnrichment/blob/develop/2024/5xxx/CVE-2024-5274.json
Also: CVE-2015-2051 CVE-2019-7256 CVE-2020-17519