CVEs and CPEs with score = 0, log and N/A

Hello again.
I will use this topic to ask another question.

Is this normal ?

Aren’t they too many CVEs and CPEs with score = 0, log and N/A ?
My feed status →

Hi @AyyJYH, I’ve moved this to a new topic for better visibility.

1 Like

Hi again @AyyJYH, I have some information about this.

Yep, this is normal. New CVEs usually have 0 or N/A as score because they will reserved in the first step, and then later the vendor may/will publish more details about the issue, and then the severity can be calculated. Here’s an example of a new (at this time) CVE NVD - CVE-2022-23968 (there’s also a N/A score at NIST) and a screenshot of the current state for reference.

After the score is assigned then needs to arrive in the Greenbone feeds, and sometimes there can be an additional 24 hour window between assignment and propagation.

Hope that helps!

1 Like

I’ll check it in a few days.

1 Like