Sonatype Data Research supplies reserved CVE CVSS scores

As of February 23, 2016 the Sonatype Data Research group is now providing Common Vulnerability Scoring (CVSS) for security issues that have reserved CVEs .

After requesting a CVE ID from Mitre, some projects or researchers do not go back and fill in the details resulting in an incomplete CVE.  These CVE numbers are then referenced by the project and other sites in their commits, bug tracking, and advisories. Previously, the reserved CVE CVSS scores were set to zero leading to them being detected by the Sonatype Security-Unscored reference policy.  

There are currently 23 reserved CVEs that will now have CVSS values. This will affect thousands of components. Because of this, and depending on how your policies are defined, you will see issues moving from the Security-Unscored policy to the appropriate Security-* policy after the next evaluation.

Below are the reserved CVE’s that now have a CVSS score.  We used the CVSS 3.0 calculator to determine the CVSS score based on our research of the vulnerability.

# of Artifacts CVE
1930 CVE-2011-3923
403 CVE-2012-2148
52 CVE-2013-4170
36512 CVE-2013-6430
17908 CVE-2013-7285
8 CVE-2013-7377
3 CVE-2013-7381
254 CVE-2014-0013
248 CVE-2014-0014
345 CVE-2014-0097
32828 CVE-2014-0225
1585 CVE-2014-1850
3948 CVE-2014-3527
2895 CVE-2014-3603
159 CVE-2014-3607
45 CVE-2014-3655
1585 CVE-2014-3743
1947 CVE-2014-4172
65 CVE-2014-6393
9 CVE-2014-8881
396 CVE-2015-2080
1287 CVE-2015-5209
33 CVE-2015-7294


Have more questions? Submit a request


Article is closed for comments.