CVE-2022-4877 severity


I see CVE-2022-44877 severity is defined as log in OpenVas DB, while it is considered as high vulnerability in others. Could somebody please advise why the difference? Thanks in advance.


Hello and welcome to this community forum.

A rationale for this is given in 14 Managing SecInfo — Greenbone Enterprise Appliance 22.04.6 documentation which has the following content:

Columns like Severity may display N/A for one of the following reasons:

  • The CVE was published but no vulnerability analysis/severity assessment was carried out by the NVD yet. This can take a few days up to a few weeks.
    Such CVEs can be identified when browsing the related entry. As long as Undergoing Analysis is displayed there, N/A is shown in the columns for the CVE.
  • There is always a delay of 1 – 2 working days between the vulnerability analysis/severity assessment and the time the updated information is displayed in the SecInfo.

Important notes:

  • The SecInfo -> CVEs view is completely unrelated to any vulnerability tests (VTs have their own severity assigned) and is supplemental data for cross-references and similar (SCAP data).
  • If a CVE is listed in SecInfo -> CVEs it doesn’t mean that a VT exists. The availability of a VT needs to be looked up via SecInfo -> NVTs instead.
  • A VT for CVE-2022-44877 (there is currently a typo in the topic title for this CVE) is available in the Greenbone Enterprise Feed only.
  • To get updated severity info in SecInfo -> CVEs a working feed synchronization is mandatory
1 Like