CVSS:3.1 vectors may get parsed to CVSS:3.0 instance

stevespringett / cvss-calculator

A Java library for calculating CVSSv2 and CVSSv3 scores and vectors

Apache License 2.0

36 stars 21 forks source link

CVSS:3.1 vectors may get parsed to CVSS:3.0 instance #56

Closed fviernau closed 3 months ago

fviernau commented 2 years ago

I've ran Cvss.parse(..) against a couple of vectors, e.g. "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H". The implementation matches it as 3.0 string, so Cvss.parse(..).toVector() return vectors of the form "CVSS:3.1/*".

shikida commented 7 months ago

I've noticed the same problem here. See NVD for CVE-2024-21628 that has

"impact" : { "baseMetricV3" : { "cvssV3" : { "version" : "3.1", "vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector" : "NETWORK",

and it's identified as CVSS V3

shikida commented 7 months ago

OTOH because this 3.1 string lacks the weights, the calculation formula for CVSS 3.1 will fail too...