Recent searches

No recent searches

Search options

Only available when logged in.
sigmoid.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A social space for people researching, working with, or just interested in AI!

Administered by:

Server stats:

591
active users

sigmoid.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.3

#cvss

0 posts0 participants0 posts today
*
daniel:// stenberg://

After my #CVSS blog post, what feels like two hundred persons have pointed out that the CVSS field is not mandatory in the CVE records. It is a clarification that does not add much. The reality is that users seem to want the scores so bad that CISA will add CVSS nonetheless, mandatory or not.

daniel.haxx.se/blog/2025/01/23

daniel.haxx.se · CVSS is dead to usCVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems. Typically you use an online CVSS calculator, click a few checkboxes and radio buttons and then you magically get a number from 0 to 10. There are also different versions … Continue reading CVSS is dead to us →
Harry Sintonen

I agree with Solar Designer on #CVSS uselessness when rating library #vulnerabilities:

"What this tells us is that CVSS base scores are pretty much unusable for ranking library and interpreter vulnerabilities. Adding temporal and exploitability metrics may improve things, but also mostly when applied not just to the libraries, but to their specific uses. Since this is generally too hard, I think a future revision of CVSS should have adjustments in the base score for issues that are not directly exposed."

from: openwall.com/lists/oss-securit

www.openwall.comoss-security - Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion
*
Harry Sintonen

Apparently #CISA has rated #curl #vulnerability #CVE_2024_11053 as #CVSS v3 Base Score 9.1 "critical". This is wrong, and will lead to automation triggering unnecessary warnings and blocking use of perfectly fine systems until an update is installed (which can take months). nvd.nist.gov/vuln/detail/CVE-2

Edit: In case you wonder my credentials for judging this: I found this vulnerability.

Edit2: This appears to be originating from CISA: cve.org/Media/News/item/blog/2

Edit3: The score has now been fixed. Commit: github.com/cisagov/vulnrichmen

nvd.nist.govNVD - CVE-2024-11053
Mathieu Fenniak

The Common Vulnerability Scoring System is unfortunately ineffective. Today's 9.9 CVSS vulnerability has the highest possible score, but no remediation required if you competently configure your systems.

#CVSS doesn't pass the smell test when a 9.9 score vulnerability is a nothingburger for most people. Unfortunately I don't have any productive improvements to suggest. I'm not sure what factor is missing or being misanalyzed.

Is "likelihood" missing a "in a real world configuration" caveat?

Wade Baker

If you took all vulnerability exploitation attempts targeting your organization and grouped them into three buckets of new, active, and dormant - it might look like this.

The blue is the proportion of "active" exploits that your sensors have registered in the recent past.

Exploits represented by the teal area have been attacked in the past but have gone dormant for a time (it's been a while since you've seen them).

The red undercurrent corresponds to new exploits never seen before.

My takeaway? Newly exploited vulns get the most *attention*, but
the older ones get the most *action*.

#vulnerabilitymanagement #vulnerability #vulnerabilities
#vulnerability_exploits #exploit #exploitation #cyberattack #cyberattacks #epss #cvss #kev

This comes from a brand new Cyentia Institute study exploring years of exploitation activity. It's available here with no registration required: cyentia.com/epss-study/

Esa Jokinen

Track changes in the CVE database (CVEProject / cvelistV5) `tail -f` style, also printing changes in the CVSS 3.1 scores. Written using only the Python Standard Library, the only external requirement being the Git binary.

#cve #cvelist #vulnerabilities #cvss #opensource

github.com/oh2fih/Misc-Scripts

GitHubMisc-Scripts/bin/follow-cvelist.py at main · oh2fih/Misc-ScriptsMiscellaneous scripts for different purposes. Mostly unrelated to each other. - oh2fih/Misc-Scripts
TrendingLive feeds
About