CVE-2024-48510 has wrong severity

[mymichu]

Description

We found that CVE-2024-48510 is marked as high severity by Trivy Vulnerability Scan, with a score of 9.8. On the Aquasec homepage, it is listed as a critical severity issue. There is a mismatch in severity matching.

Desired Behavior

I would assume that any score above 9 indicates a Critical severity.

Actual Behavior

A vulnerability score of 9.8 indicates a High severity. Here is the relevant SBOM snippet.

 {
"id": "CVE-2024-48510",
"source": {
"name": "ghsa",
"url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget"
},
"ratings": [
{
"source": {
"name": "ghsa"
},
"score": 9.8,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "nvd"
},
"score": 9.8,
"severity": "critical",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
22
],
"description": "Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"advisories": [
{
"url": "https://avd.aquasec.com/nvd/cve-2024-48510"
},
{
"url": "https://gist.github.com/thomas-chauchefoin-bentley-systems/855218959116f870f08857cce2aec731"
},
{
"url": "https://github.com/haf/DotNetZip.Semverd"
},
{
"url": "https://github.com/haf/DotNetZip.Semverd/blob/e487179b33a9a0f2631eed5fb04d2c952ea5377a/src/Zip.Shared/ZipEntry.Extract.cs#L1365-L1410"
},
{
"url": "https://github.com/mihula/ProDotNetZip/commit/18486ad6d13742a07a6755ef6edf60d7458f1854"
},
{
"url": "https://github.com/mihula/ProDotNetZip/pull/21"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48510"
},
{
"url": "https://www.nuget.org/packages/DotNetZip"
},
{
"url": "https://www.nuget.org/packages/DotNetZip/"
}
],
"published": "2024-11-13T15:15:07+00:00",
"updated": "2025-05-02T10:40:29+00:00",
"affects": [
{
"ref": "pkg:nuget/[email protected]",
"versions": [
{
"version": "1.13.3",
"status": "affected"
}
]
}
]
},

Reproduction Steps

1. trivy image --scanners vuln --timeout 10m --severity HIGH,CRITICAL --exit-code 11 --quiet --format cyclonedx INTERNAL_IMAGE > vulns-filtered.cdx.json

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2025-10-02T10:27:34+02:00	DEBUG	No plugins loaded
2025-10-02T10:27:34+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-02T10:27:34+02:00	DEBUG	Cache dir	dir="/Users/michel/Library/Caches/trivy"
2025-10-02T10:27:34+02:00	DEBUG	Cache dir	dir="/Users/michel/Library/Caches/trivy"
2025-10-02T10:27:34+02:00	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2025-10-02T10:27:34+02:00	DEBUG	Ignore statuses	statuses=[]
2025-10-02T10:27:34+02:00	DEBUG	DB update was skipped because the local DB is the latest
2025-10-02T10:27:34+02:00	DEBUG	DB info	schema=2 updated_at=2025-10-02T06:30:35.515605089Z next_update=2025-10-03T06:30:35.515604918Z downloaded_at=2025-10-02T08:25:48.345464Z
2025-10-02T10:27:34+02:00	DEBUG	[pkg] Package types	types=[os library]
2025-10-02T10:27:34+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-10-02T10:27:34+02:00	INFO	[vuln] Vulnerability scanning is enabled
2025-10-02T10:27:34+02:00	DEBUG	Initializing scan cache...	type="fs"
2025-10-02T10:27:34+02:00	DEBUG	[notification] Running version check
2025-10-02T10:27:34+02:00	DEBUG	[notification] Version check completed	latest_version="0.67.0"
2025-10-02T10:27:35+02:00	DEBUG	Credential error	err="unable to refresh token: missing environment variable AZURE_TENANT_ID"
2025-10-02T10:27:35+02:00	DEBUG	[image] Image found	image="dlpimagebuildprod.azurecr.io/had-order-scimsync-image:1.0.3891" source="remote"
2025-10-02T10:27:35+02:00	DEBUG	Created process-specific temp directory	path="/var/folders/lm/t_csztk12g346r6hpv2jfb1w0000gn/T/trivy-12606"
2025-10-02T10:27:35+02:00	DEBUG	[image] Detected image ID	image_id="sha256:3954bbb1de0442a8a732f9ecb13090205ac5b61e1ba54092d998da1e28843e57"
2025-10-02T10:27:35+02:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:f9f52dc133e2af9188960e5a5165cafaa51657ef740ff20219e45a561d78c591 sha256:16188edf8edb4d26b17f47314685ebcc2a4ebb75289c38aa33b3510bfbbb382a sha256:250397287678eb176c3e594dcaea5ee924643bf57199e74c6e1b73ce320fc8a9 sha256:4cc711c4e24d2dbab77c68903f55275bb19b9a0ab9ad0a40696e9da5713346ae sha256:e606a9d38263d595fa4343d48213d2827352bd25852110943bf207c8f98a3cc1]
2025-10-02T10:27:35+02:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:f9f52dc133e2af9188960e5a5165cafaa51657ef740ff20219e45a561d78c591]
2025-10-02T10:27:35+02:00	INFO	Detected OS	family="ubuntu" version="24.04"
2025-10-02T10:27:35+02:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="24.04" pkg_num=258
2025-10-02T10:27:35+02:00	INFO	Number of language-specific files	num=8
2025-10-02T10:27:35+02:00	INFO	[dotnet-core] Detecting vulnerabilities...
2025-10-02T10:27:35+02:00	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="azure-functions-cli/func.deps.json"
2025-10-02T10:27:35+02:00	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="azure-functions-cli/workers/powershell/7.2/Microsoft.Azure.Functions.PowerShellWorker.deps.json"
2025-10-02T10:27:35+02:00	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="azure-functions-cli/workers/powershell/7.4/Microsoft.Azure.Functions.PowerShellWorker.deps.json"
2025-10-02T10:27:35+02:00	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="azure-functions-cli/workers/powershell/7/Microsoft.Azure.Functions.PowerShellWorker.deps.json"
2025-10-02T10:27:35+02:00	INFO	[gobinary] Detecting vulnerabilities...
2025-10-02T10:27:35+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="azure-functions-cli/gozip"
2025-10-02T10:27:35+02:00	INFO	[jar] Detecting vulnerabilities...
2025-10-02T10:27:35+02:00	DEBUG	[jar] Scanning packages for vulnerabilities	file_path=""
2025-10-02T10:27:35+02:00	INFO	[node-pkg] Detecting vulnerabilities...
2025-10-02T10:27:35+02:00	DEBUG	[node-pkg] Scanning packages for vulnerabilities	file_path=""
2025-10-02T10:27:35+02:00	INFO	[python-pkg] Detecting vulnerabilities...
2025-10-02T10:27:35+02:00	DEBUG	[python-pkg] Scanning packages for vulnerabilities	file_path=""
2025-10-02T10:27:35+02:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.67/docs/scanner/vulnerability#severity-selection for details.
2025-10-02T10:27:35+02:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-10-02T10:27:35+02:00	DEBUG	[vex] VEX filtering is disabled
2025-10-02T10:27:35+02:00	DEBUG	Cleaning up temp directory	path="/var/folders/lm/t_csztk12g346r6hpv2jfb1w0000gn/T/trivy-12606"

Operating System

macOs Sequoia

Version

Version: 0.67.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-10-02 06:30:35.515605089 +0000 UTC
  NextUpdate: 2025-10-03 06:30:35.515604918 +0000 UTC
  DownloadedAt: 2025-10-02 08:25:48.345464 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-10-02 00:53:10.071599149 +0000 UTC
  NextUpdate: 2025-10-05 00:53:10.071598999 +0000 UTC
  DownloadedAt: 2025-10-02 08:26:13.710993 +0000 UTC
Check Bundle:
  Digest: sha256:e13d31ec41e7a61a0eeb42afccd73a8e2802244c5c772764a5e2ffb30cab727c
  DownloadedAt: 2025-05-14 09:18:10.063828 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

hello @mymichu
Thanks for your interest to Trivy!

You can read about similar case in #8463

Regards, Dmitriy