CVSS3 and Severity mismatch when using Trivy #20385
Comments
someoilguy
changed the title
|
Hi @someoilguy could you please push the image, which has CVE score not matching severity, to dockerhub (a public accessible registry) so that we can use it to reproduce it and do further investigation? |
|
python:3.10.14 does it with cve-2023-34152 (imagemagick) cvss of 9.8 but severity low. I'll see what I can do about getting some other samples for you guys. |
|
@knqyf263 please help to provide some insight on this, thanks |
|
@someoilguy essentially, if we run And it redirects us to: https://security-tracker.debian.org/tracker/CVE-2023-34152. In this page, it shows @knqyf263, please correct me if there is anything wrong about it. |
|
@zyyw You're right. Also, it's documented here. |
Hello,
I have just installed created a fresh instance of Harbor 2.10.2.
When scanning containers, I have noticed that severity and the CVSS 3 value shown don't always match, such as this:
Following the link to aqua vulnerability database I see the following:
An even more extreme version is CVE-2014-9939 showing as Low but with a CVSS 3 of 9.8
It was installed with the "--with-trivy" flag and is using version v0.50.1
Some more examples for reference:
The text was updated successfully, but these errors were encountered: