Hacker News new | ask | show | jobs
by SpicyLemonZest 711 days ago
I don't think you're wrong, but it gets to the underlying question of what these systems are for. If you start from the perspective that you're going to patch all known CVEs, it doesn't seem like a big practical problem that this is 9.8 - it's unlikely your system is exposed, but equally unlikely you'd have a hard time upgrading node-ip. If you're not going to patch all known CVEs, CVSS scores aren't a useful guide to which ones are absolute must-fixes; Heartbleed was famously 5.0 when disclosed, and it's still only a 7.5 on the new scale.
1 comments
aPoCoMiLogin 710 days ago
here's recent openssh RCE classified as 9.8 https://www.qualys.com/regresshion-cve-2024-6387/

the difference: you can find affected openssh servers, with the node-ip issue you have to find very rare instance that would allow for SSRF and create exploit for the exact use case. with openssh you can make it really broad.

so the 9.8 score for node-ip is crazy high, and nobody should question it, it should be ~6 max

link
SpicyLemonZest 710 days ago
Again, the score is mechanically calculated from specific features of the vulnerability, and the number of instances on the Internet which are exposed isn't one of those features.

I would agree that the CVSS is not, in this instance, measuring something particularly related to the practical importance of the vulnerability. I agree nobody can really dispute that. But does that mean that the next version of CVSS should include "I bet not many systems are exposed" or "I subjectively think this isn't that bad" dimensions? I'm skeptical - that seems like it would create more problems than it solves.

link
aPoCoMiLogin 709 days ago
i only want the score to represent real threat, not what features it includes, as that is meaningless in the long run. i agree that it shouldn't include "i think is bad" as that is meaningless as well, the score should represent the threat, not the features.

because i'm checking dependabot [0][1] regularly, there is a lot of issues with very high scores for frontend libraries, that have really low impact, because it "checks" some features. eg some plugin for jquery (frontend lib) [2] that has the same score as heartbleed, which is insane and shows how useless the score is in current form.

- https://docs.github.com/en/code-security/dependabot/dependab...

- https://github.com/advisories?query=type%3Areviewed

- https://github.com/advisories/GHSA-ffmh-x56j-9rc3

link