We’ve had some complaints about inflated CVSS scores, which are par for the course for using CVSS.
One area that’s tricky is assessing libraries. Notably when assessing attack vectors in libraries, I think there’s a tendency to err on the side of caution and assume that any library is inevitably going to be stuck behind a network service, and therefore any vulnerability in a library should be counted as network exploitable.
I’m not sure assessing libraries this way is practically helpful and often leads to overinflated scores.
This isn’t helped particularly by e.g. assessing the complexity of a network attack as “high” in cases where it is typically going to be completely impractical in a network setting, e.g. requiring novel remote sidechannel attacks or impractical scenarios involving excessively large data volumes.
Perhaps as a suggestion to reduce score inflation, we can suggest that libraries are only assessed as being network exploitable if they actually include network-related functionality, instead of assuming that every library under the sun is network exploitable simply by virtue of existing.
We’ve had some complaints about inflated CVSS scores, which are par for the course for using CVSS.
One area that’s tricky is assessing libraries. Notably when assessing attack vectors in libraries, I think there’s a tendency to err on the side of caution and assume that any library is inevitably going to be stuck behind a network service, and therefore any vulnerability in a library should be counted as network exploitable.
I’m not sure assessing libraries this way is practically helpful and often leads to overinflated scores.
This isn’t helped particularly by e.g. assessing the complexity of a network attack as “high” in cases where it is typically going to be completely impractical in a network setting, e.g. requiring novel remote sidechannel attacks or impractical scenarios involving excessively large data volumes.
Perhaps as a suggestion to reduce score inflation, we can suggest that libraries are only assessed as being network exploitable if they actually include network-related functionality, instead of assuming that every library under the sun is network exploitable simply by virtue of existing.