Collaborate Disseminate
Vulnerability management has always been as much art as science. However, the rapid changes in both IT networks and the external threat landscape over the last decade have made it exponentially more difficult to identify and remediate the vulnerabiliti… Continue reading How can CISOs catch up with the security demands of their ever-growing networks?
I’m trying to accurately score a report using CVSS as follows:
Privileges Required
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This Score increases as fewer priv… Continue reading What is the correct CVSS “Privileges Required” score for a privilege escalation when it’s trivial to get user privileges?
BeyondTrust announced the release of a report which includes the latest annual breakdown of Microsoft vulnerabilities by category and product, as well as a six-year trend analysis, providing a holistic understanding of the evolving threat landscape. Th… Continue reading Elevation of Privilege is the #1 Microsoft vulnerability category
What is the difference between the exploitability score and the exploitability sub-score? And the difference between the impact score and the impact sub-score?
What are the relationships between the respective scores and sub-scores?
is there a given equation for the severity score of a CVSS?
I have looked in this website https://www.first.org/cvss/v3.1/specification-document but I could not find a formula for the severity value.
While calculating the CVSS score using CVSS3.1, attack vectors are classified into four.
Network – Remote attack
Adjacent – Should share the same Physical or Logical network of victim
Physical – Physical access to device or component
I’ve recently been given a set of guidance notes on CVSS; but the guidance isn’t making sense. I’ve sent a query off, but got no response. So asking here.
Say you have an exploit (can ignore base for now – but if you want to replicate, I’v… Continue reading CVSS Temporal guidance
I am curious about the Integrity metric in CVSS 3.1.
Low is:
"Modification of data is possible, but the attacker does not have
control over the consequence of a modification, or the amount of
modification is limited. The data modific… Continue reading Help me to understand "Low Integrity" scores for parameter tampering in CVSS 3.1
I’m reviewing CVSS 3.1 specification, recently.
I encounter the example below:
Sophos Login Screen Bypass Vulnerability (CVE-2014-2005)
Sophos Disk Encryption (SDE) 5.x in Sophos Enterprise Console (SEC)
5.x before 5.2.2 does not enforce … Continue reading What’s the difference between Local and Physical attack vector in CVSS 3.1?
Short version
Red Hat Customer Portal lists CVE-2021-27219 as having a 9.8 out of 10 RedHat CVSS score, that it was published February 4, 2021, more than 3 months ago and that it affects RHEL 8, the newest version.
Is there really no fix f… Continue reading Is it really true that no RedHat fix exists for this Critical 3-month old glib issue? [migrated]