The difficulties of (reading) vulnerability severity meters
Assigning a severity meter to security vulnerability is not so unambiguous always. One good real-life example is recently fixed Mozilla Firefox Deleted Object Reference Code Execution Vulnerability (aka “contentWindow.focus()” vulnerability).
Some examples of published advisories and their severity levels in alphabetical order:
Securident Technologies, the researcher: no severity level assigned
CA: Low (2/5), Overall Risk [more info here]
FrSIRT: Critical (4/4)
OSVDB: no severity metric in use
Secunia: Highly Critical (4/5)
SecuriTeam: no severity metric in use
SecurityFocus: no severity metric in use
SecurityTracker: no severity metric in use
US-CERT: 7,87 (0..108)
The variation is huge, very huge. Additionally, Secunia elevated the severity from Not Critical to Highly Critical today.
One short conclusion: How is it possible to assign a ‘Low’ severity when PoC code is publicly available.. Yes, I’m aware that code execution was proved by MFSA recently, but however..