Improper Input Validation in CVSS v2 parsing

Question

Improper Input Validation in CVSS v2 parsing

pandatix opened this issue 2 years ago · 0 comments

During differential fuzzing with github.com/pandatix/go-cvss, I discovered that your implementation does not validate inputs properly.
When providing the E:U metric in a vector, an error is raised. Nevertheless, the first.org specification Table 13 shows the E (Exploitability) metric can be U (Unproven).

In order to be compliant with the specification, you must review your validation process to validate E:U (probably mistyped with E:P after a quick code review).

The following Go code illustrates this issue.

package main

import (
	"fmt"

	cvss "github.com/attwad/gocvss"
)

func main() {
	raw := "AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C"
	vec, err := cvss.Parse(raw)

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: base score                     0.000000
  access vector                0.000000
  access complexity            0.000000
  authentication               0.000000
  confidentiality impact       0.000000
  integrity impact             0.000000
  availability impact          0.000000

temporal score                 0.000000
  exploitability               1.000000
  remediation level            1.000000
  report confidence            1.000000

environmental score            0.000000
  collateral damage potential  0.000000
  target distribution          0.000000
  confidentiality requirement  1.000000
  integrity requirement        1.000000
  availability requirement     1.000000

err: cvss: unrecognized metric "E:U"