Overview
A CVE vulnerability that is listed as a critical vulnerability in the CVE database is returned as a low security issue in LanGuard scan results.
Solution
When LanGuard vulnerability classification is lower than the severity listed in the CVE database, that can be either a discrepancy between CVE and US National Vulnerability Database used by LanGuard or a genuine content issue in the LanGuard vulnerability definitions.
- Check the US National Vulnerability Database for the particular CVE rating. If it matches the LanGuard classification, then the LanGuard vulnerability definitions are correct. If you still want to change the vulnerability level, refer to a workaround below.
- If there is a genuine discrepancy between US National Vulnerability Database and LanGuard classification, please contact GFI LanGuard Support for the Content team to fix the issue and update the LanGuard definitions.
Meanwhile, as a workaround, you can manually adjust the severity level of the CVE by doing one of the following:
- In the LanGuard console, navigate to Configuration -> Scanning Profiles -> Choose a profile you use -> Vulnerabilities -> Find the affected CVE -> Right click Properties -> Set the Sevirity level.
- In the LanGuard console, navigate to the Vulnerability tab and follow the instructions from the second part of the video How to acknowledge or adjust the severity for security vulnerabilities with GFI LanGuard.