Different severities (NVD and RedHat) #1325
Unanswered
mrahimi2021
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
I am a bit confused regarding different severities for a single CVE that reported by Trivy.
For example, please consider CVE-2021-3549:
CVSS V3 Score: 7.1 HIGH
CVSS V2 Score: 5.8 MEDIUM
Ref: https://nvd.nist.gov/vuln/detail/CVE-2021-3549
RedHat Severity: low - while the score is 6.1
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1960717
Reported Severity by Trivy: LOW
JSON output of Trivy:
"Severity": "LOW",
"CweIDs": [
"CWE-119"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"V2Score": 5.8,
"V3Score": 7.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
"V3Score": 6.1
}
},
Is there any option for Trivy to choose between different references or choosing NVD CVSS V3 as default?
Many thanks,
Beta Was this translation helpful? Give feedback.
All reactions