GSA version 22.5 and version 20.8.1 have different CVSS Severities for the same detection result

I scanned one system by using two Greenbone Security Assistant(GSA) after updating the vulnerability DB.

One is version 22.5 of GSA installed on one Kali Linux server
and another is version 20.8.1 of GSA installed on another Kali Linux server.

After scanning it, the following vulnerability was detected in both versions.

NVT: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS

However, CVSS was different as follows.

Version 22.5: CVSS 7.5 (High)
Version 20.8.1: CVSS 5.0 (Medium)

It seems Version 20.8.1’s CVSS looks correct from the following page.

The question is : The reason why the CVSS is different depending on the version, and which CVSS is correct.


and welcome to this community forums.

As announced via GVM 21.04 (end-of-life, initial release 2021-04-16) version 21.04 introduced CVSSv3.0/CVSSv3.1 support and if available these “newer” scoring variants takes precedence over the “old” CVSSv2.0 one.

In the VT example as given in the initial posting one can see that the following attached CVE has the highest severity:

which has:


Thank you very much for your quick reply.
My questions have been completely cleared.

1 Like