Improper Input Validation in CVSS v3 parsing

Question

Improper Input Validation in CVSS v3 parsing

pandatix opened this issue 2 years ago · comments

While fuzzing this implementation, I discovered that some invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v3/metric"
)

func main() {
	rawVec := "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L/RC:"
	vec, err := metric.NewEnvironmental().Decode(rawVec)

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: &{0xc0000bc000 X X X X X X X X X X X}
err: <nil>

You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the RC (ReportConfidence) metric can't be empty.

Spiegel · Answer 1 · Tue Jan 24 2023 09:24:15 GMT+0800 (China Standard Time)

Released v1.3.1