(www.bleepingcomputer.com)

Show context

tptacek ◴[06 Apr 25 19:56 UTC] No.43604427[source]▶

Broken record, but "has a CVSS score of 10.0" is literally meaningless. In fact, over the last couple years, I've come to take vulnerabilities with very high CVSS scores less seriously. Remember, Heartbleed was a "7.5".

replies(5): >>43604810 #>>43605410 #>>43606314 #>>43609363 #>>43610358 #

1. b8 ◴[07 Apr 25 00:42 UTC] No.43606314[source]▶

>>43604427 #

A new scoring system should be made that is a better signal.

replies(2): >>43606373 #>>43606374 #

2. tptacek ◴[07 Apr 25 00:54 UTC] No.43606373[source]▶

>>43606314 (TP) #

I think the original one did just fine: "info, low, medium, high, crit".

I could even do without "crit".

replies(1): >>43606709 #

3. saagarjha ◴[07 Apr 25 00:54 UTC] No.43606374[source]▶

>>43606314 (TP) #

It's quite hard to do this.

4. worthless-trash ◴[07 Apr 25 01:49 UTC] No.43606709[source]▶

>>43606373 #

I believe companies often call that the flaws impact.

It is different than the cvss rating.

replies(1): >>43606866 #

5. tptacek ◴[07 Apr 25 02:08 UTC] No.43606866{3}[source]▶

>>43606709 #

In that it is meaningful, yes.

replies(1): >>43609087 #

6. worthless-trash ◴[07 Apr 25 08:13 UTC] No.43609087{4}[source]▶

>>43606866 #

Surely you think AV:P has a meaningful description in the CVSS Score ?

↑

Max severity RCE flaw discovered in widely used Apache Parquet