Individual/Multiple CVEs are showing as N/A in the Vulnerability Scanner
This article explains the reasons why CVEs might show up as N/A in the Automox Vulnerability Scanner. Unfortunately, there are multiple reasons why this could be the case, and we'll try to explain it all.
Explanation
When it comes to CVEs, we do not have a list of every CVE ever made! However, we do try our best when it comes to documenting them and how they might affect devices under our management.
For reference, there are several articles in our database that highlight how we ingest any CVE knowledge:
Understanding Automox Severity Data
About Automox Vulnerability Sync
Automox severity scoring
The severity of CVEs are based on CVSS scores. These scores have different mappings to severity classifications. The following mapping table shows how Automox defines the previous version 2 and the new version 3 severity ratings of a package:
In the event that there are multiple CVEs, with a mixture of scores, the highest possible CVSS score will determine the severity.
Note: If a CVE is not scored or Automox has insufficient information, it will be shown as Unknown.
There are also other reasons why CVEs could be marked as "unknown":
- No machines have the vulnerability
- The update has been superseded (vulnerability is not applicable anymore)
- Third-party vulnerability (see our third-party supported software list here: Third-Party Software Support)
- Hardware/firmware update, which is something that Automox does not support
- The CVE is a configuration change (something that must be manually done and not supported by Automox)
It's not guaranteed that Automox will have all CVE information. But chances are that it could be one of those five reasons above should the CVE be found as "unknown".