Forum Discussion

Joseph770's avatar
Joseph770
Copper Contributor
Dec 18, 2023

CvssScore in "DeviceTvmSoftwareVulnerabilitiesKB" - What is it and is it accurate?

It is not clear what the "CvssScore" value represents.  The description of the column states, including typo:

"Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)"

It does not indicate whether it is a component (e.g., the base score) of the CVSS or the entire score (doubtful). 

 

Furthermore, examining the entry for CVE-2023-27350 shows a CvssScore value of "5.3" (for a remotely exploitable vulnerability bypassing authentication?!).  The NVD shows CVE-2023-27350 has a CVSS base score of 9.8 (https://nvd.nist.gov/vuln/detail/CVE-2023-27350).  Why is the DeviceTvmSoftwareVulnerabilitiesKB entry so wildly different than the NVD?  If it is incorrect, how does such a mistake happen and how many other entries in the table are incorrect?  

 

 

  • ExMSW4319's avatar
    ExMSW4319
    Steel Contributor
    Bear in mind that CVSS v2 and v3 can differ by quite a bit for the same vulnerability. You don't mention which version is being used in the comparison. Tenable says CVSSv3 9.8 and CVSSv2 8.3 [https://www.tenable.com/plugins/nessus/174747] but I have seen other vulnerabilities differ by a score of 4 or more.
    • Joseph770's avatar
      Joseph770
      Copper Contributor

      "You don't mention which version is being used in the comparison."
      The NVD reference given uses CVSS 3.x.  What Microsoft is using is my concern as they are way out of alignment with the NVD listing.  The lack of definition provided by Microsoft for the CvssScore combined with a value, probably meant to be the base score, that is so different raises concerns for the validity of the data Microsoft is managing (or not).  

      • ExMSW4319's avatar
        ExMSW4319
        Steel Contributor
        There is a click button on the NVD web site that in theory will show the CVSS v2 score. It is not obvious. However, for CVE-2023-27350 you are right; they have only calculated / published a score for v3.
    • ExMSW4319's avatar
      ExMSW4319
      Steel Contributor
      And I have muddled my temporal and base scores. For CVE-2023-27350 the correct scores are v2 base 10 temporal 8.3 and v3 base 9.8 temporal 9.1. Lots to choose from.

Resources