This is your regular reminder that CVSSv3 base scores are information-poor, and taken alone are not fit for the purpose of evaluating appropriate actions to take for a given security vulnerability.
I am hoping that CVSSv4 helps improve industry practices. It's badly needed.
#InfoSec #CVSS #CVE
https://csrc.nist.gov/csrc/media/Presentations/2023/update-on-cvss-4-0/jan-25-2023-ssca-dugal-rich.pdf
If you use #curl or #libcurl and are worried about the pending "High" CVE that's coming out, @bagder said...
"Every security flaw requires a set of conditions to apply for the problem to trigger. The pending security vulnerabilities are no different. I cannot comment on what that set is ahead of time.
The severity level is a blunt tool. This is a HIGH severity problem but there is still going to be a large chunk of users who will not be affected by these problems."
https://github.com/curl/curl/discussions/12026#discussioncomment-7195449
The "High" rating for this bulletin, like "CVSSv3 base score >= 7.0", is information-poor.
For open source libraries in particular, there are many potential mitigating circumstances.
I really want for the #InfoSec community and industry practice to improve so that we don't blindly look at base scores or vendor ratings for #FOSS libraries in particular, and then panic.
Over on the bad place, it looks like an embargoed patch leaked?
@msw kind of hard to see how publicizing this helps, though?
@slink Sure, it's just that @JohnHammond posted some good content over there.
I'd love for it to be over here!
@msw @slink @JohnHammond I really hate Elon for destroying Twitter. Now I have to scour multiple platforms for info like this because I refuse to use X and support him.
Thanks for sharing this here.