Comment by tptacek
13 days ago
Broken record, but "has a CVSS score of 10.0" is literally meaningless. In fact, over the last couple years, I've come to take vulnerabilities with very high CVSS scores less seriously. Remember, Heartbleed was a "7.5".
I am pretty convinced that CVSS has a very significant component of "how enterprise is it." Accepting untrusted parquet files without verification or exposing apache spark directly to users is a very "enterprise" thing to do (alongside having log4j log untrusted user inputs). Heartbleed sounded too technical and not "enterprise" enough.
> alongside having log4j log untrusted user inputs
I'd think logging things like query parameters is extremely common.
That's mostly due to the switch from CVSS 2 to CVSS 3
It may be noisy, but recently Draytek routers had a 10 point one, and indeed, an office router had been taken over. It would stubornly reboot every couple of minutes, and not accept upgrades.
Yep. Any software these days can be "network accessible" if you put a server in front of it; that's usually what pumps the score up.
A new scoring system should be made that is a better signal.
I think the original one did just fine: "info, low, medium, high, crit".
I could even do without "crit".
I believe companies often call that the flaws impact.
It is different than the cvss rating.
2 replies →
It's quite hard to do this.