Why the Severity is set to HIGH for ruby rexml CVE-2024-49761 with CVSS score = 6.6 #8111

jwenjian · 2024-12-17T07:53:54Z

jwenjian
Dec 17, 2024

Question

Hi,

I'd like to know how the severity of trivy works, I thought it just use the CVE severity?

But the ruby rexml gem CVE, https://www.cve.org/CVERecord?id=CVE-2024-49761, I got HIGH by trivy output, but I saw Medium in cve.org.

somewhere wrong?

Thanks

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Operating System

Rocky Linux 9.0

Version

# trivy --version
Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-17 06:16:04.798697378 +0000 UTC
  NextUpdate: 2024-12-18 06:16:04.798697017 +0000 UTC
  DownloadedAt: 2024-12-17 07:25:33.40114213 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-12-17 02:46:02.884793825 +0000 UTC
  NextUpdate: 2024-12-20 02:46:02.884793715 +0000 UTC
  DownloadedAt: 2024-12-17 07:38:13.416442913 +0000 UTC

Answered by knqyf263

Dec 17, 2024

It's described here: https://trivy.dev/latest/docs/scanner/vulnerability/#severity-selection

View full answer

jwenjian · 2024-12-17T07:55:08Z

jwenjian
Dec 17, 2024
Author

trivy output when I scan container images:

ghcr.io/voxpupuli/puppetserver:8.7.0-latest (ubuntu 22.04)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-12-17T15:38:13+08:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Ruby (gemspec)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ rexml (rexml-3.2.5.gemspec) │ CVE-2024-49761 │ HIGH     │ fixed  │ 3.2.5             │ >= 3.3.9      │ REXML is an XML toolkit for Ruby. The REXML gem before │
│                             │                │          │        │                   │               │ 3.3.9...                                               │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-49761             │
└─────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

2 replies

knqyf263 Dec 17, 2024
Maintainer

It's described here: https://trivy.dev/latest/docs/scanner/vulnerability/#severity-selection

Answer selected by jwenjian

jwenjian Dec 18, 2024
Author

Thanks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Why the Severity is set to HIGH for ruby rexml CVE-2024-49761 with CVSS score = 6.6 #8111

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

Why the Severity is set to HIGH for ruby rexml CVE-2024-49761 with CVSS score = 6.6 #8111

jwenjian Dec 17, 2024

Question

Target

Scanner

Output Format

Mode

Operating System

Version

Replies: 1 comment · 2 replies

jwenjian Dec 17, 2024 Author

knqyf263 Dec 17, 2024 Maintainer

jwenjian Dec 18, 2024 Author

jwenjian
Dec 17, 2024

Replies: 1 comment 2 replies

jwenjian
Dec 17, 2024
Author

knqyf263 Dec 17, 2024
Maintainer

jwenjian Dec 18, 2024
Author