Why CVE-XXXX-XXXXX severity in Prisma Cloud is different than NVD
611
Created On 10/07/22 14:31 PM - Last Modified 06/09/25 19:53 PM
Symptom
Let's take an example:
CVE-2022-22970 listed with 'High' severity under PCC but expected is 'Medium' as per NVD nd vendor ratings.
Environment
Any environment using Prisma Cloud
Cause
As per our documentation:
For known vulnerabilities with a CVE, we rely on the most authoritative source. For OS packages, the CVE details are from the specific vendor feed. For other CVEs, the information is from official sources like NVD and vendor-specific security advisories. If the affected package is maintained by an OS vendor, the severity as indicated by the vendor is used and not the severity determined by NVD. Furthermore, for new vulnerabilities missing analysis, or undocumented vulnerabilities, we rely on severity determined by our researchers.
Resolution
For this specific case:
- By downloading from the Intel Stream the CVE-2022-22970 is considered as high for the jar file, meaning this is not an OS package.
- Github is now a CNA, assigning CVE numbers and publishing vulnerability records.
- This is for the base jar file that one might download using Maven.
- Red Hat has nothing to do with the jar file so its updates and security apparatus don't apply here.
- Information regarding all CVEs will flow into NVD but this is not the best source for detailed information on remediation steps for specific variants of a CVE.
- Investigations regarding a CVE may not depend on NVD only and branch out via the links that they publish to other vendors and orgs