[aPoCoMiLogin]

here's recent openssh RCE classified as 9.8 https://www.qualys.com/regresshion-cve-2024-6387/

the difference: you can find affected openssh servers, with the node-ip issue you have to find very rare instance that would allow for SSRF and create exploit for the exact use case. with openssh you can make it really broad.

so the 9.8 score for node-ip is crazy high, and nobody should question it, it should be ~6 max

[SpicyLemonZest]

Again, the score is mechanically calculated from specific features of the vulnerability, and the number of instances on the Internet which are exposed isn't one of those features.

I would agree that the CVSS is not, in this instance, measuring something particularly related to the practical importance of the vulnerability. I agree nobody can really dispute that. But does that mean that the next version of CVSS should include "I bet not many systems are exposed" or "I subjectively think this isn't that bad" dimensions? I'm skeptical - that seems like it would create more problems than it solves.

[aPoCoMiLogin]

i only want the score to represent real threat, not what features it includes, as that is meaningless in the long run. i agree that it shouldn't include "i think is bad" as that is meaningless as well, the score should represent the threat, not the features.

because i'm checking dependabot [0][1] regularly, there is a lot of issues with very high scores for frontend libraries, that have really low impact, because it "checks" some features. eg some plugin for jquery (frontend lib) [2] that has the same score as heartbleed, which is insane and shows how useless the score is in current form.

- https://docs.github.com/en/code-security/dependabot/dependab...

- https://github.com/advisories?query=type%3Areviewed

- https://github.com/advisories/GHSA-ffmh-x56j-9rc3