Why does a Critical patch I just installed now show a severity of High?
Severity services have migrated to CVSSv3 scoring. These are based on the CVSS as described in the National Vulnerability Database. The scoring range for Critical was previously defined by Automox as from 7.0–10.0. The change from v2 to v3 ranges are as follows:
Other (Not scored)
When considering the migration to v3 scoring, there are a few factors that can cause CVE scores to change:
Scores can change anytime as more information is learned and analyzed by the vendor.
For example, a score can be Critical today, High next week, and Low next year.
Scores can change when a CVE is updated or the Automox agent reports a severity change. In this migration they changed by following the current standards for vulnerability scoring.
After this update, you may see the severity of previously applied patches also change, if they had a score above 7 but below the cutoff for Critical.
Note: When the severity level for a package is not scored and provides insufficient information, the console displays the score Unknown.
Note: If an Ubuntu, Red Hat, or Debian-related software package does not have any CVEs associated with it, Automox shows the severity score No Known CVEs.