Closed patrickmgarrity closed 1 hour ago
While it has one in the NVD, from 3 days ago, furthermore from CISA as an ADP: https://nvd.nist.gov/vuln/detail/CVE-2023-28334#VulnChangeHistorySection `
Action | Type | Old Value | New Value |
---|---|---|---|
Added | CVSS V3.1 | CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N |
`
Strikes me as Confidentiality:Low , and not None.
If something scores CVSS zero, it's kind of not a vulnerability at all.
I'd be tempted to say that CVSS of zero should be illegal, but if someone did file a CVE with CVSS of zero, we should still call that out. And mark it for dispute, likely.
@patrickmgarrity Thank you for the report! An analyst reviewed this and applied a couple of changes based on current information. The data has been fixed upstream and updated here.
Edit: Tagged the wrong person.
I noticed CVE-2023-28334 was scored with a "0" CVSS score. and was curious if this was intended? https://github.com/cisagov/vulnrichment/blob/ec966c2d052c8c1f5d36873bb68ead4bf6eedd08/2023/28xxx/CVE-2023-28334.json#L6