Two separate vulnerabilities, and I don't think CVSS takes into account the level of privileges you gain, just whether scope has been changed, right?
-
-
-
Right. So in CVSS 3 terms, it's the difference between a 7.3 and an 8.3
End of conversation
New conversation -
-
-
Ask for a second CVE for the vulnerable setuid-binary.
-
Do people have workflows that treat the presence of multiple CVEs in the same product differently than just one? And if so, what does that combinatorial math look like?
- 1 more reply
New conversation -
-
-
Is the said setuid a separate vuln or is it part of the system design? If the latter, the CVSS score would be "11 - Commodore 64 called and wanted its security model back"
-
System design.
- 11 more replies
New conversation -
-
-
This is exactly why we had trouble using cvss for red team findings. It was hard to tell the full story of the attack chain.
-
I can’t even imagine trying to use CVSS for red team reporting.
- 6 more replies
New conversation -
-
-
“Nobody is affected” CVSS score 0
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
And thus one of the many problems with CVSS. It's better than nothing, but it's such a hard problem.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.