I cannot help but feel baffled by the way MITRE calculate the score of CVEs. I mean, we have the Common Vulnerability Scoring System (CVSS) to help standardize the process and get an estimated score about the severity of a vulnerability, but the MITRE team that assigns/publishes a CVE appears to have their own understanding of the CVSS criterias.
I am totally fine with them weighting a vulnerability from their own perspective and not take the CVSS3.1 vector from the researcher as-is, but to assign (N) to UI, where it clearly requires user interaction (at least passively), it just does not feel right and would deviate from the standardization.
Take https://www.cve.org/CVERecord?id=CVE-2023-50458 as an example.
To exploit the vulnerability the attacker needs to upload dummy scan results continuously and scan the output console for information disclosure. This information disclosure will NOT happen, if other users of Dradis do not upload their scan results. Without scan results in the backlog waiting to be processed, NOTHING will be disclosed. User interaction is clearly required, passively.
To exploit the vulnerability there is no real complexity involved. I, as an attacker, do not have to prepare or attempt to bypass security measures, etc. Why would MITRE assign (H) to attack complexity (AC)?
And don’t let me start talking about the infamous Scope (S), where MITRE decided that the scope is changed (C). I mean, affected is Dradis and disclosed are data managed by Dradis, nothing more, nothing less.
Of course, I can go ahead and submit a request to change the score, but I did several times to this and/or different advisories OF MY OWN. Yet, nothing gets updated nor I get any feedback from MITRE.
@MITRE, are you underfunded, again? Can you shed light on the capabilities of the team assigning those scores?
