Hello there,
It seems that there are several instances (have now been corrected) where CVSS vector string does not follow the compliant ordering. While base score is looking correct, this might be a compliant mismatch downstream.
Another thing is that it seems GHSA calculates Environmental Score instead of base score. For example, GHSA-mc24-7m59-4q5p. This GHSA has the vector string as CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H which should be resolved into 8.3 CVSS instead of considering Environmental Score 8.4
I am wondering if Github Sec team has putting some considerations to validate the vector string for all existing and upcoming GHSA being created?
Thank you for your work and your time!
Chi Tran
Amazon Inspector
Hello there,
It seems that there are several instances (have now been corrected) where CVSS vector string does not follow the compliant ordering. While base score is looking correct, this might be a compliant mismatch downstream.
Another thing is that it seems GHSA calculates Environmental Score instead of base score. For example, GHSA-mc24-7m59-4q5p. This GHSA has the vector string as
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:Hwhich should be resolved into8.3CVSS instead of considering Environmental Score8.4I am wondering if Github Sec team has putting some considerations to validate the vector string for all existing and upcoming GHSA being created?
Thank you for your work and your time!
Chi Tran
Amazon Inspector