One more Improper Input Validation in CVSS v3 parsing

Question

One more Improper Input Validation in CVSS v3 parsing

pandatix opened this issue 2 years ago · comments

After #10 and #13, I fuzzed again the implementation and discovered that other invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v3/metric"
)

func main() {
	vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:n")

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: &{0xc0000a0a50 X X X X X X X X X X X map[]}
err: <nil>

You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the A (Availability) metric can only be equal to [H,L,N] (not their lowercase equivalent).
The root of this issue is validating lowercase equivalents, what is not compliant with the first.org specifications.

Spiegel · Answer 1 · Fri Jan 27 2023 10:16:57 GMT+0800 (China Standard Time)

Release v1.4.1