[Prisma Cloud Compute Edition] Why Do Some NVD CVEs in the Prisma Intelligence Stream Have Critical/High/Medium Severities with CVSS Score of N/A or 0?

• A CVE could have a severity of Critical/High/Medium with a CVSS score of N/A or 0 in CVE Viewer.

• The CVE would be awaiting analysis as per NVD.

• On NVD link, the CVE could have a GitHub entry with CVSS and severity, but the NVD entry would say N/A.

Examples:

Examples:

https://nvd.nist.gov/vuln/detail/CVE-2024-37298
https://nvd.nist.gov/vuln/detail/CVE-2024-41110


 

Prisma Cloud Compute Edition(Self-Hosted)
Prisma Cloud Enterprise Edition(SAAS)

This is an expected behavior consistent with our current product design.

In the scenarios where we look at NVD: 

• We primarily rely on NVD for both severity and CVSS scores.

• When NVD hasn’t completed its analysis of a CVE, the CVSS score and severity may be unavailable.

• In such cases, we fall back to a secondary source, like GHSA, but only for the severity.

• For the CVSS score, we strictly use NVD's rating, which is currently marked as N/A because their analysis is still pending.

• Referring to the JSON for CVE-2024-37298 in NVD, we see that the primary source (NVD) is not yet available, but the secondary source (GHSA) is.
   

   {
        "cve": {
          "id": "CVE-2024-37298",
          "sourceIdentifier": "security-advisories@github.com",
          "published": "2024-07-01T19:15:04.283",
          "lastModified": "2024-07-02T12:09:16.907",
          "vulnStatus": "Awaiting Analysis",
          "cveTags": [],
          "descriptions": [
            {
              "lang": "en",
               "value": "gorilla/schema converts structs to and from form values. Prior to version 1.4.1, running 
                        `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up 
                         to malicious attacks regarding memory allocations, taking advantage of the sparse slice 
                         functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs 
                         could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch 
                         for the issue."          
            },
          ],
          "metrics": {
            "cvssMetricV31": [
              {
                "source": "security-advisories@github.com",
                "type": "Secondary",
                "cvssData": {
                  "version": "3.1",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "attackVector": "NETWORK",
                  "attackComplexity": "LOW",
                  "privilegesRequired": "NONE",
                  "userInteraction": "NONE",
                  "scope": "UNCHANGED",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH"
                },
                "exploitabilityScore": 3.9,
                "impactScore": 3.6
              }

• As a result, we pick the severity (High) from GHSA, but not the CVSS score, as we rely solely on NVD for that.