Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

CvssScore in "DeviceTvmSoftwareVulnerabilitiesKB" - What is it and is it accurate?

Copper Contributor

It is not clear what the "CvssScore" value represents.  The description of the column states, including typo:

"Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)"

It does not indicate whether it is a component (e.g., the base score) of the CVSS or the entire score (doubtful). 

 

Furthermore, examining the entry for CVE-2023-27350 shows a CvssScore value of "5.3" (for a remotely exploitable vulnerability bypassing authentication?!).  The NVD shows CVE-2023-27350 has a CVSS base score of 9.8 (https://nvd.nist.gov/vuln/detail/CVE-2023-27350).  Why is the DeviceTvmSoftwareVulnerabilitiesKB entry so wildly different than the NVD?  If it is incorrect, how does such a mistake happen and how many other entries in the table are incorrect?  

 

 

5 Replies
Bear in mind that CVSS v2 and v3 can differ by quite a bit for the same vulnerability. You don't mention which version is being used in the comparison. Tenable says CVSSv3 9.8 and CVSSv2 8.3 [https://www.tenable.com/plugins/nessus/174747] but I have seen other vulnerabilities differ by a score of 4 or more.
And I have muddled my temporal and base scores. For CVE-2023-27350 the correct scores are v2 base 10 temporal 8.3 and v3 base 9.8 temporal 9.1. Lots to choose from.

"You don't mention which version is being used in the comparison."
The NVD reference given uses CVSS 3.x.  What Microsoft is using is my concern as they are way out of alignment with the NVD listing.  The lack of definition provided by Microsoft for the CvssScore combined with a value, probably meant to be the base score, that is so different raises concerns for the validity of the data Microsoft is managing (or not).  

There is a click button on the NVD web site that in theory will show the CVSS v2 score. It is not obvious. However, for CVE-2023-27350 you are right; they have only calculated / published a score for v3.

@ExMSW4319 

I spent some time over lunch comparing the CVSS scores for the 2023 entries (those entries starting with "CVE-2023-") in the NVD database to those in the DeviceTvmSoftwareVulnerabilitiesKB table.  Where there was a matching CVE in both, more than 33% of the CvssScore in the DeviceTvmSoftwareVulneratiliesKB table did not match the CVSS base score in the NVD.  Maybe "Defender XDR" will get rebranded "Defender RND"?