Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

One more Improper Input Validation in CVSS v2 parsing #31

Closed
pandatix opened this issue Feb 2, 2023 · 3 comments
Closed

One more Improper Input Validation in CVSS v2 parsing #31

pandatix opened this issue Feb 2, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@pandatix
Copy link

pandatix commented Feb 2, 2023

While differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly validate CVSS v2 vectors, as it don't check the metric order.

In order to be compliant with the first.org specification Section 2.4 ("the vector lists these metrics in a predetermined order [...]") you must validate that every metric is in the order of Table 13.

The following Go code illustrates this issue.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v2/metric"
)

func main() {
	raw := "AV:N/AC:L/Au:N/C:N/A:C/I:N"
	vec, err := metric.NewEnvironmental().Decode(raw)

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: AV:N/AC:L/Au:N/C:N/I:N/A:C
err: <nil>

As the order is AV -> AC -> Au -> C -> I -> A, the CVSS v2 vector AV:N/AC:L/Au:N/C:N/A:C/I:N is invalid.
Notice this is not specified in CVSS v3 (no metric order), so this issue could not be reproduced with submodule v3.

@spiegel-im-spiegel spiegel-im-spiegel added the bug Something isn't working label Feb 2, 2023
spiegel-im-spiegel added a commit that referenced this issue Feb 2, 2023
Fixed that no error when misordered CVSSv2 vector string (issue #31)
@spiegel-im-spiegel
Copy link
Member

Release v1.6.3

@pandatix
Copy link
Author

pandatix commented Feb 3, 2023

The previously provided code now produces ->

vec: AV:N/AC:L/Au:N/C:N/I:N/A:C
err: misordered vector string

Maybe you should return a nil pointer for the CVSS v2 object when there is an error (good practice). It may not be clear to the developer using your implementation whether it worked or not.

@spiegel-im-spiegel
Copy link
Member

OK! Release v1.6.4.

@pandatix pandatix closed this as completed Feb 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants