Inconsistency in how the National Vulnerability Database (NVD) and vendors score security issues can make patch prioritization harder, researchers have warned.
The Common Vulnerability Scoring System (CVSS) is a vulnerability scoring framework that allows security professionals to assess a vulnerability’s severity on a simple scale: low, medium, high, and critical. The score’s associated CVSS vector often provides much needed context to low-quality CVE descriptions.
An analysis of 120,000 CVEs with CVSS v3 scores associated with them conducted by researchers at VulnCheck has showed that nearly 25,000 (20%) had primary and secondary scores from NIST (which maintains the NVD) and a vendor of the vulnerable product, and about 14,000 (56%) of those had conflicting scores, meaning that scores assigned by NIST and the vendor did not match.
Furthermore, the experts analyzed CVE that had been assigned the CWE for XSS or CSRF and found the error rate for the primary source was 1.10% and the error rate for the secondary source was 15.03%
VulnCheck says that there are more than 39 unique organizations contributing incorrect scores in the NVD, including NIST, GitHub, and the US Department of Homeland Security.
As an example, the company pointed to the NVD entry for CVE-2023-21557, a denial of service vulnerability in Microsoft Windows Lightweight Directory Access Protocol (LDAP). The entry shows that Microsoft assigned the vulnerability a severity score of 7.5 (high), while NIST listed the bug as “critical” (base score 9.1). At the same time, no information was provided why the scores differ.
“That very high conflict rate easily leads practitioners to question whether to trust the primary or secondary source. Primary, based on the name, certainly sounds more authoritative. But it turns out, NIST almost always assigns itself as the primary source. Of the 14 total primary sources found in the 120,000 CVE with CVSSv3 scores, NIST was listed as the primary source 116,169 times (97%),” the experts noted.
When analyzing cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in the NVD - both XSS and CSRF always require user interaction - VulnCheck found that the primary source (typically NIST) assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while only 2,091 vulnerabilities were assigned XSS CWE by a secondary source.
“The primary source failed to use UI:R for XSS vulnerabilities 111 times, a 0.86% error rate. Whereas the secondary sources failed to use UI:R 346 times, a 16.54% error rate. CSRF was less severe. The primary source only failed to use UI:R for 59 out of 2,548 (2.3%) CSRF vulnerabilities. The secondary source used the wrong UI for 27 out of 390 (6.9%),” according to the report.
“CVSS scores are a driving force behind vulnerability management and remediation. Typically, the scores are sourced from NIST’s NVD. Therefore, the accuracy of the scores in NVD are an important factor in the database’s overall usefulness. There is reason to believe that there is a non-negligible error rate in NIST’s CVSS scoring which could have a negative impact on organizations that rely on NVD, directory or indirectly, for accurate information,” VulnCheck concluded.
