ppkarwasz commented on PR #4080: URL: https://github.com/apache/logging-log4j2/pull/4080#issuecomment-4327112480
Hi @marcelstoer, Sorry about that! :wink: We intentionally published a CVSS 4.0 score, to prevent CISA from providing its own and blowing this out of proportion. Unfortunately NVD “enriches” the record by: - Assigning it the same CPE as for `log4j-core` (`cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*` instead of the one we gave in the CVE record `cpe:2.3:a:apache:log4j_layout_template_json:*:*:*:*:*:*:*:*`), - Dropping the Package URL, - Bumping the CVSS by lowering Complexity from `High` to `Low` and increasing Integrity from `Low` to `High`. Since NVD is basically not operational, maybe you can convince your organization to source vulnerability records directly from the CVE database or GitHub Advisories? Not that the latter currently imports from NVD, so we had to manually improve the GitHub Advisories entry, which increased the delay between the disclosure and the availability of the data. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
