CVSS vector is not checked for additional garbage strings
Closed this issue · 3 comments
Subject of the issue
Invalid CVSS vector strings are accepted as valid in CVSS:3.1 , this was not a problem in version 1.2.3.
I can add garbage characters anywhere after the base metrics. I can also add an extra slash between base metrics.
I haven't seen this change in the changelog, so I assumed it wasn't something that was done intentionally.
Your environment
- version of cvss-suite gem: 3.2.1
- version of ruby: 3.2.0
Steps to reproduce
Start an environment where you can use the CvssSuite class
CvssSuite.new('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C/randomgarbage/').valid? returns true
CvssSuite.new('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/randomgarbage/').valid? returns true
CvssSuite.new('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/randomgarbage').valid? returns true
One extra slash between metrics:
CvssSuite.new('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N//I:N/A:H/E:P/RL:U/RC:C/').valid? returns true
All these examples would return false in version 1.2.3.
@atalayozmen Thanks for reporting, will fix this issue in the next weeks.
Thank you for the response. I wanted to add some more things:
I know that temporal fields are not mandatory, so CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N//I:N/A:H is valid, however,
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N//I:N/A:H/E:/RL:/RC: is also valid, where temporal metrics do not have a corresponding value.
I think it should make sure that if a metric exists(like E, RL or RC), the corresponding value after the colon should also exist, and it should have a valid metric value. So, if we have e.g. E: we should only have X, H, F, P or U after the colon, no unknown letters or null letter.
E: => invalid
E:R => invalid
E:H => valid
@atalayozmen I agree, that should not be valid. I hope it is fixed in the new version.