Understanding the Severity Levels of detected Linux vulnerabilities
When Snyk determines the severity level (Low, Medium, High, Critical) of a Linux vulnerability for the Snyk Container product, we consider multiple factors:
- Snyk's internal analysis
- An assessment of the severity provided by the Linux distribution maintainer’s security team
- The severity of the vulnerability as assessed by the National Vulnerability Database (NVD)
In certain cases, NVD may assign a different CVSS vector and severity score than the security maintainers of a particular Linux distribution. When this occurs, we prioritize and use the CVSS and severity as determined by the Linux distribution maintainers as described in our relative importance feature.
Relative importance asserts a common severity for a vulnerability and shows the underlying detailed information for that severity, based on multiple sources. This information helps developers and analysts view a common level of importance, and exposes the underlying information that helped form the given severity.
New information appears in the Security information section of the project page, for each issue:
Example for a vulnerability rated by Ubuntu as Low, and rated by NVD as Critical.
We currently support Relative Importance in: Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), CentOS, Amazon Linux, Oracle Linux and SUSE Linux Enterprise Server (SLES).
We use the following external sources to provide this information for the distros:
Last modified 7d ago