Should Vulnrichment and NVD CVSS agree?

[amanion-cisa]

CVSS data from the Vulnrichment ADP container does not always agree with NVD CVSS data for. Is this a concern? Please document the intended behavior and review/change Vulnrichment CVSS data if necessary.

For example, CVE-2024-5274: https://nvd.nist.gov/vuln/detail/CVE-2024-5274 https://github.com/cisagov/vulnrichment/blob/develop/2024/5xxx/CVE-2024-5274.json

NVD: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ADP: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
                      ^             ^

Also: CVE-2015-2051 CVE-2019-7256 CVE-2020-17519

[amanion-cisa]

Not directly related to the overall question, but I investigated CVE-2024-5274 carefully and believe the ADP vectors are correct. Per the CVSS 3.1 Specification, sandbox escape means S:C and also supports AC:H.

[todb-cisa]

Since they're different teams and different analysis methods, I don't think it's a bug if NVD and Vulnrichment happen to disagree on a CVSS score. If either NVD or Vulnrichment happens to be incorrect, whoever believes they're more right can champion that cause in a future update. But out of the gate, it's okay to be divergent.