GSA version 22.5 and version 20.8.1 have different CVSS Severities for the same detection result

ttom · August 10, 2023, 10:31am

I scanned one system by using two Greenbone Security Assistant(GSA) after updating the vulnerability DB.

One is version 22.5 of GSA installed on one Kali Linux server
and another is version 20.8.1 of GSA installed on another Kali Linux server.

After scanning it, the following vulnerability was detected in both versions.

NVT: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS
OID: 1.3.6.1.4.1.25623.1.0.108031

However, CVSS was different as follows.

Version 22.5: CVSS 7.5 (High)
Version 20.8.1: CVSS 5.0 (Medium)

It seems Version 20.8.1’s CVSS looks correct from the following page.

The question is : The reason why the CVSS is different depending on the version, and which CVSS is correct.

cfi · August 10, 2023, 11:12am

Hello,

and welcome to this community forums.

As announced via GVM 21.04 (end-of-life, initial release 2021-04-16) version 21.04 introduced CVSSv3.0/CVSSv3.1 support and if available these “newer” scoring variants takes precedence over the “old” CVSSv2.0 one.

In the VT example as given in the initial posting one can see that the following attached CVE has the highest severity:

https://nvd.nist.gov/vuln/detail/CVE-2016-2183

which has:

CVSSv2: Base Score: 5.0 MEDIUM
CVSSv3.x: Base Score: 7.5 HIGH

ttom · August 14, 2023, 4:43am

Thank you very much for your quick reply.
My questions have been completely cleared.