Why a Patch Changed From Critical to High
Why does a Critical patch
A software security or stability update. I just installed now show a severity of High?
Severity services have migrated to CVSSv3 scoring. These are based on the CVSS 0–10 scale for assessing vulnerability severity. as described in the National Vulnerability Database NIST source for CVE severity data.. The scoring range for Critical was previously defined by Automox as from 7.0–10.0. The change from v2 to v3 ranges are as follows:
|
Automox CVSSv2 |
Automox CVSSv3 |
|---|---|
|
|
none (0.0) |
|
Low (0.0—3.9) |
Low (0.0—3.9) |
|
Medium (4.0—6.9) |
Medium (4.0—6.9) |
|
Critical (7.0—10) |
High (7.0—8.9) |
|
Other (Not scored) |
Critical (9.0—10) |
|
|
Unknown |
When considering the migration to v3 scoring, there are a few factors that can cause CVE Represents a unique identifier for a vulnerability record as defined and cataloged by https://cve.mitre.org. scores to change:
- Scores can change anytime as the vendor learns and analyzes more information.
For example, a score can be Critical today, High next week, and Low next year. - Scores can change when a CVE is updated or the Automox agent Lightweight client application, which is installed on managed devices. reports a severity change. In this migration they changed by following the current standards for vulnerability scoring.
- After this update, you may see the severity of previously applied patches also change, if they had a score above 7 but below the cutoff for Critical.
