Daniel Stanberg, the inventor and chief developer of the Open Source Command Line Tool Curl, once again criticized the CVE ecosystem (general weaknesses and exposure) in a blog entry. The focus of their current criticism: CVSS (general vulnerability scoring system), which is closely connected to CVE.
Advertisement
According to Stanberg, the process of CVSS scoring has a high risk of being wrong from a per. However, this danger is still increased by the fact that particularly authorized examples such as the US Authority CISA can complement any existing cves with its own point calculation.
In the past, the post -“Promotion” NVD (National Republic Database) was the task of post -CVE entries for lack of additional information like CVSS score. Following a large -scale backwash of untouched cves, it has been adopted primarily from the previous year to the US Cyber Security Authority CISA. In a github repository For the so -called “vulnerable project”, it systematically completes the leftist everyone, but also fulfills new entries.
Cancellation of CVS
Stanberg publicly opposed one of its scenes against false CVE entry in September last year. He also expressed the basic CVSS criticism in the previous blog entries.
In a new Post with a dramatic title “Cvss is dead for us” (For example: “We are with CVS” through “), the developer is related to the fact that the curl team is for years Self -down rating system itself Use based on four potential severity levels.
In his view, they are suitable CVSS Evaluation Criteria For accurate classification, when you really know when and how to use hardware or software product in question and how an exploitation affects it. For projects like curls, which are used in billions in completely differently different applications and environment, simply does not work.
Forced score
Unlike Stanburg, adding the CVSS point value to the initially prepared blog entry, CVSS point value is not mandatory in any way. And so the curl team in its role as CNA (CVE Numbering Authority) would be free to do only in the entries that they themselves made without this information.
The problem is that CISA clearly does not respect this very conscious discount. Because the authority always sees it as its work to complete “incomplete” entries in the CVE Database. In her role as authorized data publisher (ADP), she can do so without consulting CNAS within fixed data containers and also does curl cves.
Apparently arbitrary ups and downs
The CVEs available for the vulnerable team per time per time should be severely limited in view of continuous increasing weaknesses-like the team’s insight into the specific technical details of each individual interval.
Stanberg sees a high threat to the resulting calculation errors and gives the curl weak point as a solid example Cve-2024-11053 From the end of last year. While it was classified as “low” by the curl team according to its own system, the CISA clearly considered it dangerous and added a CVSS base score of 9.1 (“Critical”) to CVE entry. According to Stanberg’s opposition, the authority then reduced the relevant score – 3.4 (“low”).
For Stanberg, this process is a sign of ranomism and arbitrariness of the calculated score. And for heavy ADPS, which “click” reviews in the cord and without deep insight into the technical details in the CVSS computer.
The developer does not see the solution to the problem at this time: since the curl team “CVSS does not dance dance”, it will not be spared like this.
Mixed community reactions
Stanberg’s post reactions range from approval to cautious criticism. A member of the language IT security team confirmed that the CISA was also negative experience with “promotion”.
Other, in turn, consider exaggerating the basic criticism of at least CVS. Emphasizes a comment aboutThe ability to evaluate weakness is rarely exploited completely. Finally, in addition to the omnipresent CVSS base score, it also includes temporary changes (temporal matrix) or adaptation options for the respective environment of the affected system (environment matrix). They will be used very rarely. Another bound on – and suggestThe Aadhaar score works as a foundation rather than a final decision, rather than a final decision.
(OVW)
