undefined | Better HN

0 pointsrfd4sgmk8u4y ago0 comments

The CVSS score cannot be trusted? How so? I don't see why any of the log4j CVE's 'cant be trusted'?

0 comments

The third CVE arbitrarily had a score of ~7.5 despite requiring a non-standard configuration and only enabling a denial of service attack. The preceding CVE with the same outcome only warranted a 3.5, until it was shown to also potentially allow an RCE. CVSS is honestly pretty open to interpretation, since it's not a particularly objective set of measures.

rfd4sgmk8uOP4y ago

Fair enough, I agree with you there. CVSS(v2/v3) can be subjective and can change when new information comes to light.

j / k navigate · click thread line to collapse

0 comments

Sebguer4y ago

rfd4sgmk8uOP4y ago

Fair enough, I agree with you there. CVSS(v2/v3) can be subjective and can change when new information comes to light.

j / k navigate · click thread line to collapse