Hello everyone,
I am using Greenbone Security Assistant 25.0.0 with the Full and Fast scan configuration and noticed the following behavior.
Issue Description
During an unauthenticated (no credentials) scan:
-
The scanner correctly detects applications and versions under
Scans → Reports → Applications. -
The detected applications show proper CPEs.
-
However, the Severity column in the Applications list displays “N/A”.
If I click one of the applications, the detailed CPE page shows:
-
A Severity rating (e.g., 9.8 High)
-
Multiple CVEs listed with correct CVSS scores
But none of those CVEs appear in the main scan report, and the host still shows “Severity: N/A”.
My Understanding
My assumption is:
-
The CVEs shown on the CPE detail page come from static CPE → CVE database mapping.
-
Since the scan does not use credentials, the scanner cannot validate the actual installed version.
-
Therefore, no NVT confirms the vulnerability, so the scan report keeps Severity as N/A, even though the CPE detail page lists CVEs.
In other words:
Detected CPE does not automatically mean confirmed vulnerabilities.
My Question
Is this behavior expected for scans without credentials?
More specifically:
-
Is it normal that the CPE detail page shows relevant CVEs,
while the scan report still shows Severity = N/A? -
Are these CPE-based CVEs intended to be informational only unless the scanner can validate them?
-
Does enabling credentials allow these vulnerabilities to appear in the main report with actual severity?
Goal
I would like to confirm whether this is:
-
Expected design behavior
-
A limitation of unauthenticated scans
-
Or a configuration issue
Thank you!