Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Administered by:

Server stats:

225
active users

eupolicy.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

#cve

6 posts6 participants0 posts today
Public
Alexandre Dulaunoy

The VLAI Severity model is accessible via API. Here is a simple example from a recent Ivanti vulnerability description from their vulnerability webpage.

The VLAI Security model for vulnerabilities is accessible via vulnerability-lookup and the public instance operated by CIRCL.

So, if you have a vulnerability description, you can quickly assess it to get a general idea of its severity.

curl -X 'POST' \
  'https://vulnerability.circl.lu/api/vlai/severity-classification' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{ "description": "Ivanti has released updates for Ivanti Neurons for ITSM (on-prem only) which addresses one critical severity vulnerability. Depending on system configuration, successful exploitation could allow an unauthenticated remote attacker to gain administrative access to the system. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. We have included an environmental score to provide customers with additional context on the adjusted risk of this vulnerability with typical use cases. Customers who have followed Ivanti guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment. Customers who have users log into the solution from outside their company network also have a reduced risk to their environment if they ensure that the solution is configured with a DMZ." }'

and the result

{
  "severity": "Critical",
  "confidence": 0.9256
}

#cve #ivanti #vulnerability #vulnerabilitymanagement #vulnerabilities

For more details: vulnerability-lookup.org/2025/

@circl @gcve

www.vulnerability-lookup.org · Vulnerability-Lookup 2.10.0 releasedWe’re delighted to announce the release of Vulnerability-Lookup 2.10.0, and it’s packed with exciting features! What’s New AI-Powered Enrichment using our in-house AI models Vulnerability-Lookup now enhances vulnerability advisories using our in-house AI models. We recently worked on a new project, ML-Gateway, a FastAPI service for serving NLP models. It loads one or more pre-trained NLP models during startup and expose them through a clean, RESTful API for inference. For example, it leverages the transformers library to load the CIRCL/vulnerability-severity-classification-roberta-base model, which specializes in classifying vulnerability descriptions according to their severity level. The server initializes this model once at startup, ensuring minimal latency during inference requests.
Public
gcve.eu

Significant progress has been made on the BCP-3 document, as well as on the implementation to enable synchronization and distributed publication of vulnerabilities.

The 2.10.0 release of vulnerability-lookup.org already includes the GCVE directory, and the next version will support BCP-3 as the reference implementation.

Thanks to @circl @cedric @adulau @misp @iglocska and many GNA for the contributions and constructive feedback.

An overview on how the distributed publication works with GCVE.eu and the reference implementation in vulnerability-lookup.
#gcve#vulnerabilitymanagement#cve
Continued thread
Public
Marcel Waldvogel

4️⃣ Doch es gibt auch gute Nachrichten, nämlich Schritte zur Reduktion der Abhängigkeit Europas von den USA:

Zum einen gibt es seit letzter Woche einen Ableger der für IT-Sicherheit unabdingbaren #CVE-Datenbank mit dem Verzeichnis der öffentlich bekannten Sicherheitslücken (und weiteren Infos dazu).

Falls die US-Finanzierung für CVE also wirklich in 10 Monaten ausläuft (wie vor einem Monat schon einmal fast passiert), kann es trotzdem weitergehen.

dnip.ch/2025/05/20/dnip-briefi

DNIP Briefing #25: Zuckerbergs Sammelwut (und was man dagegen tun kann)
Das Netz ist politisch · DNIP Briefing #25: Zuckerbergs Sammelwut (und was man dagegen tun kann) - Das Netz ist politischDie Redaktion präsentiert jeden Dienstag die Geschichten, die sie bewegt, aufgerüttelt oder zum Nachdenken angeregt hat.
Public
Elias Mårtenson

How is Github doing CVSS scoring? I was looking at CVE-2022-41966 and it has a CVSS vector that indicates Integrity: Low.

The vulnerability allows an attacker who can feed malicious data to an XML deserialiser to crash the parser with a StackOverflowError. The fix changes this to a different type of exception. How can that in any way be marked as having an integrity impact at all?

I note that the NIST assessment has the much more appropriate assessment here where there is no impact of integrity.

euvd.enisa.europa.euEUVDEuropean Vulnerability Database
#infosec#cve
ExploreLive feeds
About