Forum Discussion
Joseph770
Dec 18, 2023Copper Contributor
CvssScore in "DeviceTvmSoftwareVulnerabilitiesKB" - What is it and is it accurate?
It is not clear what the "CvssScore" value represents. The description of the column states, including typo:
"Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)"
It does not indicate whether it is a component (e.g., the base score) of the CVSS or the entire score (doubtful).
Furthermore, examining the entry for CVE-2023-27350 shows a CvssScore value of "5.3" (for a remotely exploitable vulnerability bypassing authentication?!). The NVD shows CVE-2023-27350 has a CVSS base score of 9.8 (https://nvd.nist.gov/vuln/detail/CVE-2023-27350). Why is the DeviceTvmSoftwareVulnerabilitiesKB entry so wildly different than the NVD? If it is incorrect, how does such a mistake happen and how many other entries in the table are incorrect?
- ExMSW4319Steel ContributorBear in mind that CVSS v2 and v3 can differ by quite a bit for the same vulnerability. You don't mention which version is being used in the comparison. Tenable says CVSSv3 9.8 and CVSSv2 8.3 [https://www.tenable.com/plugins/nessus/174747] but I have seen other vulnerabilities differ by a score of 4 or more.
- Joseph770Copper Contributor
"You don't mention which version is being used in the comparison."
The NVD reference given uses CVSS 3.x. What Microsoft is using is my concern as they are way out of alignment with the NVD listing. The lack of definition provided by Microsoft for the CvssScore combined with a value, probably meant to be the base score, that is so different raises concerns for the validity of the data Microsoft is managing (or not).- ExMSW4319Steel ContributorThere is a click button on the NVD web site that in theory will show the CVSS v2 score. It is not obvious. However, for CVE-2023-27350 you are right; they have only calculated / published a score for v3.
- ExMSW4319Steel ContributorAnd I have muddled my temporal and base scores. For CVE-2023-27350 the correct scores are v2 base 10 temporal 8.3 and v3 base 9.8 temporal 9.1. Lots to choose from.