For RHEL CVEs, why is there sometimes a difference between NVD and Red Hat CVSS base scores?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)

Issue

  • For Red Hat CVEs, why is there sometimes a difference between NVD and Red Hat CVSS base scores?

Resolution

The following two links best describe why there is sometimes a difference between NVD and Red Hat CVSS base scores.

https://access.redhat.com/site/security/updates/classification/ at the bottom under "Differences Between NVD and Red Hat Scores"
https://access.redhat.com/blogs/766093/posts/CVSSv3/

Starting in June 2016 Red Hat Product Security began scoring vulnerabilities using the new CVSSv3 standard.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

4 Comments

The second link leads to a 404 page.

Link to https://access.redhat.com/blogs/766093/posts/CVSSv3s/ is broken (returns 404). Can someone please fix it? Thx.

broken link

https://access.redhat.com/blogs/766093/posts/CVSSv3s/

just remove the last 's' in the URL, and then the link works:

https://access.redhat.com/blogs/766093/posts/CVSSv3