Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CVE-2024-11703.json #140

Merged
merged 1 commit into from
Dec 4, 2024
Merged

Update CVE-2024-11703.json #140

merged 1 commit into from
Dec 4, 2024

Conversation

mozfreddyb
Copy link
Contributor

  • This is a change to the CVSS rating as part of the vulnrichment by CISA. I am aware that the CVE is handled by Mozilla directly (which I work for).

A reporter of the bug has brought to our attention, that the CVSS values are likely not correct. (The bug was reported multiple times by various folks, because of the low complexity).

  • The attack requires physical access to the device (changing attackVector)
  • The attacker is required to be fully logged in to the device (we're assuming that people protect their personal devices with PIN, pattern or other means of authentication like face recognition)

Given my understanding of CVSS and some help from the CVSS calculator, I believe this may result in a score of 5.7 and a severity of "medium", not "critical". But I'm happy to discuss this further.

@jwoytek-cisa jwoytek-cisa merged commit 8c4289c into cisagov:develop Dec 4, 2024
@mozfreddyb
Copy link
Contributor Author

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mozfreddyb @jwoytek-cisa