"Alert: if you look up curl CVEs in public sources like NVD you will find they use inflated severity levels and CVSS scores. They think they know better and override our assessments. This is a systemic error that we unfortunately cannot fix. Feel free to complain to them - we keep doing it to no use - and consider using our material as the canonical sources for curl issues. "
Quote from curl.se/docs/security.html #curl
Elias Mårtenson
in reply to daniel:// stenberg:// • • •It's not just you. These ratings are done when considering the worst possible circumstances. There are also some perverse incentives working to boost the scores.
I believe that CVSS 4.0 has the ability to fix some of this, but we'll see.
daniel:// stenberg://
in reply to Elias Mårtenson • • •@loke I know we are far from alone - I expect this to happen to virtually everyone. But as I work on #curl and it is a problem for us, I try to educate our audience in how this works.
I very much doubt that any CVSS change can fix this. It's an NVD problem rather than anything else as I see it.
Elias Mårtenson
in reply to daniel:// stenberg:// • • •True. But at least CVSS 4.0 has custom categories, so it's possible to design a set of specific adjustments for a certain product.
Now, whether or not the NVD will take these into consideration is a completely different question.