Description
While reviewing a large set of Vuln references from Canonical I noticed that we are reporting Ubuntu Priority in the Severity field.
Some examples are:
- http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-17360.html
- http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-32815.html
(most of these are relatively old Vulns)
The Ubuntu Priority data is not a CVSS score and is often paired with the original CVSS Severity data from the NVD.
The general explanation from: https://ubuntu.com/security/cves/about#priority is: "The Ubuntu priority is based on many factors including severity, importance, risk, estimated number of affected users, software configuration, active exploitation, and other factors which may adjust the impact of certain vulnerabilities such as Ubuntu’s proactive security features."
So this Priority is more like an assessment of the impact on an Ubuntu package which is useful - perhaps close to VEX type information.
The point of this Issue is to design how to present this type of information to make its meaning more clear. Perhaps in this case the System should be ubuntu-priority instead of generic_textual.