Forum Discussion
CvssScore in "DeviceTvmSoftwareVulnerabilitiesKB" - What is it and is it accurate?
It is not clear what the "CvssScore" value represents. The description of the column states, including typo: "Severity score assigned to the security vulnerability under th Common Vulnerability Sco...
Bear in mind that CVSS v2 and v3 can differ by quite a bit for the same vulnerability. You don't mention which version is being used in the comparison. Tenable says CVSSv3 9.8 and CVSSv2 8.3 [https://www.tenable.com/plugins/nessus/174747] but I have seen other vulnerabilities differ by a score of 4 or more.
"You don't mention which version is being used in the comparison."
The NVD reference given uses CVSS 3.x. What Microsoft is using is my concern as they are way out of alignment with the NVD listing. The lack of definition provided by Microsoft for the CvssScore combined with a value, probably meant to be the base score, that is so different raises concerns for the validity of the data Microsoft is managing (or not).- There is a click button on the NVD web site that in theory will show the CVSS v2 score. It is not obvious. However, for CVE-2023-27350 you are right; they have only calculated / published a score for v3.
I spent some time over lunch comparing the CVSS scores for the 2023 entries (those entries starting with "CVE-2023-") in the NVD database to those in the DeviceTvmSoftwareVulnerabilitiesKB table. Where there was a matching CVE in both, more than 33% of the CvssScore in the DeviceTvmSoftwareVulneratiliesKB table did not match the CVSS base score in the NVD. Maybe "Defender XDR" will get rebranded "Defender RND"?
- And I have muddled my temporal and base scores. For CVE-2023-27350 the correct scores are v2 base 10 temporal 8.3 and v3 base 9.8 temporal 9.1. Lots to choose from.
