Same ID with different scores and information

[valrieux]

Hello,

I don’t understand why we don’t get the same information here (GHSA-93ww-43rr-79v3) and there (GHSA-93ww-43rr-79v3). Could you help me to understand? Which version is the good one? Why is there different information for same vulnerability with same ID?

Thanks for helping

[taladrane]

hi @valrieux, thank you for your question! We added support for version 4.0 of CVSS earlier this year, and we have been upgrading incoming v3.1 scores to v4.0 to support that effort. We've received additional feedback about the confusion and difficulty this creates, especially when this is done inconsistently across advisories and when the vectors or numerical severity value differ between the two CVSS schema versions, so the team has been discussing the best way to address this.

We have decided to continue to default to the latest version of the CVSS schema (4.0) when providing our own assessment and when supplied by our data feeds, but moving forward, we will align our advisories with the 3.x CVSS version provided by repository GHSAs when reasonable instead of upgrading it to 4.0, and we will adjust the CVSS vector string for GHSA-93ww-43rr-79v3.

Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[valrieux]

Hello!

Sorry to reopen it with delay but I am investigating again on that GHSA and I see that there are still differences between the two pages. Indeed, in patched versions, GHSA-93ww-43rr-79v3 mentions 24.0.9, 26.0.6 when GHSA-93ww-43rr-79v3 mentions only 26.0.6.
Thus, my main question is "why is there 2 different versions of an advisory with the same ID?". I think we can expect that same ID means same page and same information.
Otherwise, how to understand the differences and which is the last version?

Thank you so much for your help and clear answer!