CVSS reported as "0" for CVE-2023-28334 - Githubissues

cisagov / vulnrichment

A repo to conduct vulnerability enrichment.

Creative Commons Zero v1.0 Universal

405 stars 29 forks source link

CVSS reported as "0" for CVE-2023-28334 #85

Closed patrickmgarrity closed 1 hour ago

patrickmgarrity commented 4 days ago

I noticed CVE-2023-28334 was scored with a "0" CVSS score. and was curious if this was intended? https://github.com/cisagov/vulnrichment/blob/ec966c2d052c8c1f5d36873bb68ead4bf6eedd08/2023/28xxx/CVE-2023-28334.json#L6

jbmaillet commented 3 days ago

While it has one in the NVD, from 3 days ago, furthermore from CISA as an ADP: https://nvd.nist.gov/vuln/detail/CVE-2023-28334#VulnChangeHistorySection `

CVE Modified by CISA-ADP 7/02/2024 9:39:50 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

`

todb-cisa commented 3 days ago

Strikes me as Confidentiality:Low , and not None.

If something scores CVSS zero, it's kind of not a vulnerability at all.

I'd be tempted to say that CVSS of zero should be illegal, but if someone did file a CVE with CVSS of zero, we should still call that out. And mark it for dispute, likely.

jwoytek-cisa commented 1 hour ago

@patrickmgarrity Thank you for the report! An analyst reviewed this and applied a couple of changes based on current information. The data has been fixed upstream and updated here.

Edit: Tagged the wrong person.