CVSS score adjustment | Fluid Attacks Help

CVSS score adjustment

Software composition analysis (SCA) detects when open-source components and dependencies in your software project have associated CVE entriesFluid Attacks understands that particular circumstances need to be present for these vulnerabilities to be exploited, and that these circumstances are not necessarily met in the context of your application. To accurately reflect their potential impact, Fluid Attacks adjusts the CVSS score of vulnerabilities found with SCA scans. This involves retrieving the original CVSS score and specifying that the scan cannot prove that the vulnerability is exploitable, as well as specifying the Remediation Level and Report Confidence values, which is something the CVE-reporting source might not do. The added specificity is as follows:
  1. Exploit Code Maturity (E) as 'Unproven' (U)
  2. Remediation Level (RL) as 'Official Fix' (O)
  3. Report Confidence (RC) as 'Confirmed' (C)
The above factors accounted for, CVSS scores reported by Fluid Attacks' SCA are lower than those calculated by the CVE-reporting sources.

To illustrate this, consider the following example of a vulnerability reported by Fluid Attacks' SCA:

See vulnerability found by the Fluid Attacks SCA
  1. By clicking on its location, you can identify the CVE in question in the Details tab.
    2. See SCA vulnerability CVE in the Fluid Attacks platform

  2. Switching to the Severity tab, you can learn the CVSS vector string assigned by Fluid Attacks (CVSS v3.1 score: 8.5).
    3. See vector string in the Fluid Attacks platform

  3. Checking the advisory by the responsible CNA, you can learn the CVSS vector string assigned by them (CVSS v3.1 score: 9.8).
    4. See CVSS score given by the CVE source

  4. Comparing both vector strings, you can notice that Fluid Attacks specified E, RL and RC, bringing more accuracy to the CVSS score calculation.
    Source: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Fluid Attacks: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
    The result is a significant difference of 1.3 units or, in terms of the qualitative severity rating, one level.
Note on CVSS score adjustment
If Fluid Attacks' hacking team performs a review of a vulnerability reported by SCA scans and can prove that the vulnerability is exploitable, the CVSS score is adjusted to reflect this.