Wrong Severity in CVE-2022-40674

[Franco0700]

Description

The vulnerability 40674 should be classified as HIGH severity instead of MEDIUM.
NIST and other databases classify it as CRITICAL or HIGH.
https://nvd.nist.gov/vuln/detail/CVE-2022-40674

Output:

┌───────────────────────────┬──────────────────┬──────────┬──────────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│          Library          │  Vulnerability   │ Severity │    Installed Version     │      Fixed Version      │                            Title                             │
├───────────────────────────┼──────────────────┼──────────┼──────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libexpat1                 │ CVE-2022-40674   │ MEDIUM   │ 2.4.7-1                  │ 2.4.7-1ubuntu0.1        │ expat: a use-after-free in the doContent function in         │
│                           │                  │          │                          │                         │ https://avd.aquasec.com/nvd/cve-2022-40674                   │

Output of trivy -v:

trivy --version
Version: 0.35.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-12-22 12:07:40.331794262 +0000 UTC
  NextUpdate: 2022-12-22 18:07:40.331793862 +0000 UTC
  DownloadedAt: 2022-12-22 13:29:05.46199693 +0000 UTC

[knqyf263]

Refer to https://ubuntu.com/security/CVE-2022-40674

[Franco0700]

that's the priority, not the severity. They are not the same

[dgutson]

FWIW:
- Severity: CRITICAL
- Ubuntu's priority: MEDIUM

I think we users do care about the severity so we can do our own prioritization.

[knqyf263]

Yes, we know it is a priority, but Ubuntu doesn't think it is as urgent as CVSS score points to. As far as we know, there is no other way to know how severe it is in Ubuntu.

[knqyf263]

The priorities assigned to vulnerabilities in Ubuntu are for prioritizing the work of when CVEs will be fixed as opposed to just an assessment of severity, importance or risk. The priority is based on many factors including severity, importance, risk, install base, software configuration, active exploitation and other factors which may adjust the impact of certain vulnerabilities such as Ubuntu's proactive security features. Importantly, these priority levels are distinct from other published severity levels such as CVSS as used in the National Vulnerability Database).

https://people.canonical.com/~ubuntu-security/priority.html#:~:text=CVE%20Priority&text=The%20priority%20is%20based%20on,as%20Ubuntu's%20proactive%20security%20features.

It is different from severity, but this is important information users should be aware of. Technically, it should be shown separately from severity, but here it is to keep things simple. We'd welcome any suggestion to improve.

[Franco0700]

In the output message, you can write "Priority" instead of "Severity". In this way the user will know it isn't the severity score

[knqyf263]

But it doesn't look like it can be filtered by --severity. We don't want to add --priority.

[huornlmj]

The first thing I did when I thought there was a doubt was scan the item with a comparable composition analysis tool. That tool used the CVSS scale and immediately I saw the discrepancy. We security researchers depend on the CVSS scale. If it's being swapped out for some other scale under the hood then we ask for a fix, or people will seek a replacement tool.

BTW - re-run your scan and add the JSON output format switch. You'll see that Trivy does have both the Ubuntu priority but it also has the correct CVSS tucked away. It just doesn't appear in the table format.