Forum Discussion

Copper Contributor

Dec 18, 2023

CvssScore in "DeviceTvmSoftwareVulnerabilitiesKB" - What is it and is it accurate?

It is not clear what the "CvssScore" value represents. The description of the column states, including typo: "Severity score assigned to the security vulnerability under th Common Vulnerability Sco...

investigation

microsoft defender for office 365

threat hunting

ExMSW4319

Iron Contributor

Dec 19, 2023

Bear in mind that CVSS v2 and v3 can differ by quite a bit for the same vulnerability. You don't mention which version is being used in the comparison. Tenable says CVSSv3 9.8 and CVSSv2 8.3 [https://www.tenable.com/plugins/nessus/174747] but I have seen other vulnerabilities differ by a score of 4 or more.

Joseph770

Copper Contributor

Dec 19, 2023

"You don't mention which version is being used in the comparison."
The NVD reference given uses CVSS 3.x. What Microsoft is using is my concern as they are way out of alignment with the NVD listing. The lack of definition provided by Microsoft for the CvssScore combined with a value, probably meant to be the base score, that is so different raises concerns for the validity of the data Microsoft is managing (or not).

ExMSW4319
Iron Contributor
Dec 19, 2023
There is a click button on the NVD web site that in theory will show the CVSS v2 score. It is not obvious. However, for CVE-2023-27350 you are right; they have only calculated / published a score for v3.
- Joseph770
  Copper Contributor
  Dec 19, 2023
  ExMSW4319
  I spent some time over lunch comparing the CVSS scores for the 2023 entries (those entries starting with "CVE-2023-") in the NVD database to those in the DeviceTvmSoftwareVulnerabilitiesKB table. Where there was a matching CVE in both, more than 33% of the CvssScore in the DeviceTvmSoftwareVulneratiliesKB table did not match the CVSS base score in the NVD. Maybe "Defender XDR" will get rebranded "Defender RND"?