Ubuntu recently classified a 9.8 CVSS rated vulnerability as "low priority". The first question would seemingly be, how could something so clearly identified as critical be reclassified to nothing?

Well, that's an easy answer. Because that's the whole point of CVSS.

But what failed here? That's also fairly easy, our overreliance on the provided CVSS ratings from NVD, or really, anyone but ourselves.

The Story

It started in 2019 and then it ended, And then it came back.

In 2019, the open-source project curl received a bug report that was for an overflow/wraparound (CWE-190) and the question of filing a CVE was raised. At the time, the security members of the curl project identified the finding as non-exploitable/non-security issue, set their severity rating to low, and merged a fix for the bug regardless.

Problem opened. Problem closed.

End of story.

But wait! There's more!

In August of 2023, an anonymous individual filed a CVE (CVE-2020-19909) for this same bug. After the newly filed (in 2023) CVE (for a 2019 non-security bug) was made public, the National Vulnerability Database (NVD), who has the final say of a CVSS value, classified it as a 9.8 (critical) on their scoring system.

Was Ubuntu wrong?

With the whole picture in mind, we can reflect on Ubuntu's classification of this critical CVE as low, and hopefully, we conclude that their decision makes perfect sense.

CVSS was designed to be applied to OUR environments. Not to be individually classified by one entity and taken as the word of god by every company thereafter. While there are many horrifying pieces of this story that I expect we will be exploring for a time to come, an important piece here that I want to emphasize is that what Ubuntu did, is what ALL OF US should be doing as part of our vulnerability management programs:

To assess the severity of vulnerability findings and classify them, as relevant to the environmental, regulatory, and risk tolerance factors unique to our business.

I want to explore this significantly more in future posts, as you'll already be seeing lots of callouts for "CVSS is broken!", and I'd like to discuss more about how this isn't so simple and there is more that the industry could do with CVSS that our vendors don't allow us to.

To be continued!

Additional reading

Huge credit and kudos to Daniel Stenberg for their great write-up on this topic and many other related issues NVD, CVE, CVSS and beyond. Be sure to go and read all of their work!

• https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

• https://daniel.haxx.se/blog/2023/06/12/nvd-damage-continued/

• https://nvd.nist.gov/vuln/detail/CVE-2020-19909

• https://github.com/curl/curl/pull/4166

• https://ubuntu.com/security/CVE-2020-19909

• https://hackerone.com/reports/661847