vrt 0.10.0 → 0.12.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (37) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.10/deprecated-node-mapping.json +200 -0
  3. data/lib/data/1.10/mappings/cvss_v3/cvss_v3.json +1074 -0
  4. data/lib/data/1.10/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.10/mappings/cwe/cwe.json +477 -0
  6. data/lib/data/1.10/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.10/mappings/remediation_advice/remediation_advice.json +1543 -0
  8. data/lib/data/1.10/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.10/third-party-mappings/remediation_training/secure-code-warriors-links.json +348 -0
  10. data/lib/data/1.10/vrt.schema.json +63 -0
  11. data/lib/data/1.10/vulnerability-rating-taxonomy.json +2171 -0
  12. data/lib/data/1.10.1/deprecated-node-mapping.json +200 -0
  13. data/lib/data/1.10.1/mappings/cvss_v3/cvss_v3.json +1074 -0
  14. data/lib/data/1.10.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.10.1/mappings/cwe/cwe.json +477 -0
  16. data/lib/data/1.10.1/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.10.1/mappings/remediation_advice/remediation_advice.json +1543 -0
  18. data/lib/data/1.10.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.10.1/third-party-mappings/remediation_training/secure-code-warrior-links.json +348 -0
  20. data/lib/data/1.10.1/vrt.schema.json +63 -0
  21. data/lib/data/1.10.1/vulnerability-rating-taxonomy.json +2171 -0
  22. data/lib/data/1.11/deprecated-node-mapping.json +236 -0
  23. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.json +1250 -0
  24. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  25. data/lib/data/1.11/mappings/cwe/cwe.json +664 -0
  26. data/lib/data/1.11/mappings/cwe/cwe.schema.json +63 -0
  27. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.json +1811 -0
  28. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  29. data/lib/data/1.11/third-party-mappings/remediation_training/secure-code-warrior-links.json +392 -0
  30. data/lib/data/1.11/vrt.schema.json +63 -0
  31. data/lib/data/1.11/vulnerability-rating-taxonomy.json +2442 -0
  32. data/lib/vrt/mapping.rb +12 -6
  33. data/lib/vrt/node.rb +4 -0
  34. data/lib/vrt/third_party_links.rb +33 -0
  35. data/lib/vrt/version.rb +1 -1
  36. data/lib/vrt.rb +8 -0
  37. metadata +39 -4
@@ -0,0 +1,1074 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "children": [
9
+ {
10
+ "id": "unsafe_cross_origin_resource_sharing",
11
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
12
+ },
13
+ {
14
+ "id": "path_traversal",
15
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
16
+ },
17
+ {
18
+ "id": "directory_listing_enabled",
19
+ "children": [
20
+ {
21
+ "id": "sensitive_data_exposure",
22
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
23
+ },
24
+ {
25
+ "id": "non_sensitive_data_exposure",
26
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
27
+ }
28
+ ]
29
+ },
30
+ {
31
+ "id": "same_site_scripting",
32
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
33
+ },
34
+ {
35
+ "id": "ssl_attack_breach_poodle_etc",
36
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
37
+ },
38
+ {
39
+ "id": "using_default_credentials",
40
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
41
+ },
42
+ {
43
+ "id": "misconfigured_dns",
44
+ "children": [
45
+ {
46
+ "id": "basic_subdomain_takeover",
47
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
48
+ },
49
+ {
50
+ "id": "high_impact_subdomain_takeover",
51
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
52
+ },
53
+ {
54
+ "id": "zone_transfer",
55
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
56
+ },
57
+ {
58
+ "id": "missing_caa_record",
59
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
60
+ }
61
+ ]
62
+ },
63
+ {
64
+ "id": "mail_server_misconfiguration",
65
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
66
+ "children": [
67
+ {
68
+ "id": "no_spoofing_protection_on_email_domain",
69
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
70
+ },
71
+ {
72
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
73
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
74
+ }
75
+ ]
76
+ },
77
+ {
78
+ "id": "dbms_misconfiguration",
79
+ "children": [
80
+ {
81
+ "id": "excessively_privileged_user_dba",
82
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
83
+ }
84
+ ]
85
+ },
86
+ {
87
+ "id": "lack_of_password_confirmation",
88
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
89
+ "children": [
90
+ {
91
+ "id": "manage_two_fa",
92
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
93
+ }
94
+ ]
95
+ },
96
+ {
97
+ "id": "no_rate_limiting_on_form",
98
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
99
+ "children": [
100
+ {
101
+ "id": "login",
102
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
103
+ },
104
+ {
105
+ "id": "change_password",
106
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
107
+ }
108
+ ]
109
+ },
110
+ {
111
+ "id": "unsafe_file_upload",
112
+ "children": [
113
+ {
114
+ "id": "no_antivirus",
115
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
116
+ },
117
+ {
118
+ "id": "no_size_limit",
119
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
120
+ },
121
+ {
122
+ "id": "file_extension_filter_bypass",
123
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
124
+ }
125
+ ]
126
+ },
127
+ {
128
+ "id": "cookie_scoped_to_parent_domain",
129
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
130
+ },
131
+ {
132
+ "id": "missing_secure_or_httponly_cookie_flag",
133
+ "children": [
134
+ {
135
+ "id": "session_token",
136
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
137
+ },
138
+ {
139
+ "id": "non_session_cookie",
140
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
141
+ }
142
+ ]
143
+ },
144
+ {
145
+ "id": "clickjacking",
146
+ "children": [
147
+ {
148
+ "id": "sensitive_action",
149
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
150
+ },
151
+ {
152
+ "id": "form_input",
153
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
154
+ },
155
+ {
156
+ "id": "non_sensitive_action",
157
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
158
+ }
159
+ ]
160
+ },
161
+ {
162
+ "id": "oauth_misconfiguration",
163
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
164
+ "children": [
165
+ {
166
+ "id": "account_takeover",
167
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
168
+ },
169
+ {
170
+ "id": "account_squatting",
171
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
172
+ }
173
+ ]
174
+ },
175
+ {
176
+ "id": "captcha",
177
+ "children": [
178
+ {
179
+ "id": "implementation_vulnerability",
180
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
181
+ },
182
+ {
183
+ "id": "brute_force",
184
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
185
+ },
186
+ {
187
+ "id": "missing",
188
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
189
+ }
190
+ ]
191
+ },
192
+ {
193
+ "id": "exposed_admin_portal",
194
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
195
+ },
196
+ {
197
+ "id": "missing_dnssec",
198
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
199
+ },
200
+ {
201
+ "id": "fingerprinting_banner_disclosure",
202
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
203
+ },
204
+ {
205
+ "id": "username_enumeration",
206
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
207
+ },
208
+ {
209
+ "id": "potentially_unsafe_http_method_enabled",
210
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
211
+ },
212
+ {
213
+ "id": "insecure_ssl",
214
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
215
+ },
216
+ {
217
+ "id": "rfd",
218
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
219
+ },
220
+ {
221
+ "id": "lack_of_security_headers",
222
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
223
+ "children": [
224
+ {
225
+ "id": "cache_control_for_a_sensitive_page",
226
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
227
+ }
228
+ ]
229
+ },
230
+ {
231
+ "id": "waf_bypass",
232
+ "children": [
233
+ {
234
+ "id": "direct_server_access",
235
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
236
+ }
237
+ ]
238
+ },
239
+ {
240
+ "id": "race_condition",
241
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
242
+ },
243
+ {
244
+ "id": "cache_poisoning",
245
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
246
+ },
247
+ {
248
+ "id": "bitsquatting",
249
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
250
+ }
251
+ ]
252
+ },
253
+ {
254
+ "id": "server_side_injection",
255
+ "children": [
256
+ {
257
+ "id": "file_inclusion",
258
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
259
+ },
260
+ {
261
+ "id": "parameter_pollution",
262
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
263
+ },
264
+ {
265
+ "id": "remote_code_execution_rce",
266
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
267
+ },
268
+ {
269
+ "id": "sql_injection",
270
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
271
+ },
272
+ {
273
+ "id": "xml_external_entity_injection_xxe",
274
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
275
+ },
276
+ {
277
+ "id": "http_response_manipulation",
278
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
279
+ },
280
+ {
281
+ "id": "content_spoofing",
282
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
283
+ "children": [
284
+ {
285
+ "id": "iframe_injection",
286
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
287
+ },
288
+ {
289
+ "id": "impersonation_via_broken_link_hijacking",
290
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
291
+ },
292
+ {
293
+ "id": "external_authentication_injection",
294
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
295
+ },
296
+ {
297
+ "id": "flash_based_external_authentication_injection",
298
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
299
+ },
300
+ {
301
+ "id": "email_html_injection",
302
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
303
+ }
304
+ ]
305
+ },
306
+ {
307
+ "id": "ssti",
308
+ "children": [
309
+ {
310
+ "id": "basic",
311
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
312
+ },
313
+ {
314
+ "id": "custom",
315
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
316
+ }
317
+ ]
318
+ }
319
+ ]
320
+ },
321
+ {
322
+ "id": "broken_authentication_and_session_management",
323
+ "children": [
324
+ {
325
+ "id": "authentication_bypass",
326
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
327
+ },
328
+ {
329
+ "id": "two_fa_bypass",
330
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
331
+ },
332
+ {
333
+ "id": "privilege_escalation",
334
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
335
+ },
336
+ {
337
+ "id": "cleartext_transmission_of_session_token",
338
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
339
+ },
340
+ {
341
+ "id": "weak_login_function",
342
+ "children": [
343
+ {
344
+ "id": "not_operational",
345
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
346
+ },
347
+ {
348
+ "id": "other_plaintext_protocol_no_secure_alternative",
349
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
350
+ },
351
+ {
352
+ "id": "over_http",
353
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
354
+ }
355
+ ]
356
+ },
357
+ {
358
+ "id": "session_fixation",
359
+ "children": [
360
+ {
361
+ "id": "remote_attack_vector",
362
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
363
+ },
364
+ {
365
+ "id": "local_attack_vector",
366
+ "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
367
+ }
368
+ ]
369
+ },
370
+ {
371
+ "id": "failure_to_invalidate_session",
372
+ "children": [
373
+ {
374
+ "id": "on_logout",
375
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
376
+ },
377
+ {
378
+ "id": "on_logout_server_side_only",
379
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
380
+ },
381
+ {
382
+ "id": "on_password_change",
383
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
384
+ },
385
+ {
386
+ "id": "all_sessions",
387
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
388
+ },
389
+ {
390
+ "id": "on_email_change",
391
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
392
+ },
393
+ {
394
+ "id": "on_two_fa_activation_change",
395
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
396
+ },
397
+ {
398
+ "id": "long_timeout",
399
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
400
+ }
401
+ ]
402
+ },
403
+ {
404
+ "id": "concurrent_logins",
405
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
406
+ },
407
+ {
408
+ "id": "weak_registration_implementation",
409
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
410
+ }
411
+ ]
412
+ },
413
+ {
414
+ "id": "sensitive_data_exposure",
415
+ "children": [
416
+ {
417
+ "id": "disclosure_of_secrets",
418
+ "children": [
419
+ {
420
+ "id": "for_publicly_accessible_asset",
421
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
422
+ },
423
+ {
424
+ "id": "for_internal_asset",
425
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
426
+ },
427
+ {
428
+ "id": "pay_per_use_abuse",
429
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
430
+ },
431
+ {
432
+ "id": "intentionally_public_sample_or_invalid",
433
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
434
+ },
435
+ {
436
+ "id": "data_traffic_spam",
437
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
438
+ },
439
+ {
440
+ "id": "non_corporate_user",
441
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
442
+ }
443
+ ]
444
+ },
445
+ {
446
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
447
+ "children": [
448
+ {
449
+ "id": "automatic_user_enumeration",
450
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
451
+ },
452
+ {
453
+ "id": "manual_user_enumeration",
454
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
455
+ }
456
+ ]
457
+ },
458
+ {
459
+ "id": "visible_detailed_error_page",
460
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
461
+ "children": [
462
+ {
463
+ "id": "detailed_server_configuration",
464
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
465
+ }
466
+ ]
467
+ },
468
+ {
469
+ "id": "disclosure_of_known_public_information",
470
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
471
+ },
472
+ {
473
+ "id": "token_leakage_via_referer",
474
+ "children": [
475
+ {
476
+ "id": "trusted_third_party",
477
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
478
+ },
479
+ {
480
+ "id": "untrusted_third_party",
481
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
482
+ },
483
+ {
484
+ "id": "over_http",
485
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
486
+ }
487
+ ]
488
+ },
489
+ {
490
+ "id": "sensitive_token_in_url",
491
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
492
+ },
493
+ {
494
+ "id": "non_sensitive_token_in_url",
495
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
496
+ },
497
+ {
498
+ "id": "weak_password_reset_implementation",
499
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
500
+ "children": [
501
+ {
502
+ "id": "token_leakage_via_host_header_poisoning",
503
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
504
+ }
505
+ ]
506
+ },
507
+ {
508
+ "id": "mixed_content",
509
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
510
+ },
511
+ {
512
+ "id": "sensitive_data_hardcoded",
513
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
514
+ },
515
+ {
516
+ "id": "internal_ip_disclosure",
517
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
518
+ },
519
+ {
520
+ "id": "xssi",
521
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
522
+ },
523
+ {
524
+ "id": "json_hijacking",
525
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
526
+ },
527
+ {
528
+ "id": "via_localstorage_sessionstorage",
529
+ "children": [
530
+ {
531
+ "id": "sensitive_token",
532
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
533
+ },
534
+ {
535
+ "id": "non_sensitive_token",
536
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
537
+ }
538
+ ]
539
+ }
540
+ ]
541
+ },
542
+ {
543
+ "id": "cross_site_scripting_xss",
544
+ "children": [
545
+ {
546
+ "id": "stored",
547
+ "children": [
548
+ {
549
+ "id": "non_admin_to_anyone",
550
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
551
+ },
552
+ {
553
+ "id": "privileged_user_to_privilege_elevation",
554
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
555
+ },
556
+ {
557
+ "id": "privileged_user_to_no_privilege_elevation",
558
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
559
+ },
560
+ {
561
+ "id": "url_based",
562
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
563
+ },
564
+ {
565
+ "id": "self",
566
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
567
+ }
568
+ ]
569
+ },
570
+ {
571
+ "id": "reflected",
572
+ "children": [
573
+ {
574
+ "id": "non_self",
575
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
576
+ },
577
+ {
578
+ "id": "self",
579
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
580
+ }
581
+ ]
582
+ },
583
+ {
584
+ "id": "flash_based",
585
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
586
+ },
587
+ {
588
+ "id": "cookie_based",
589
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
590
+ },
591
+ {
592
+ "id": "ie_only",
593
+ "children": [
594
+ {
595
+ "id": "ie_eleven",
596
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
597
+ },
598
+ {
599
+ "id": "xss_filter_disabled",
600
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
601
+ },
602
+ {
603
+ "id": "older_version_ie_eleven",
604
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
605
+ }
606
+ ]
607
+ },
608
+ {
609
+ "id": "referer",
610
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
611
+ },
612
+ {
613
+ "id": "trace_method",
614
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
615
+ },
616
+ {
617
+ "id": "universal_uxss",
618
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
619
+ },
620
+ {
621
+ "id": "off_domain",
622
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
623
+ }
624
+ ]
625
+ },
626
+ {
627
+ "id": "broken_access_control",
628
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
629
+ "children": [
630
+ {
631
+ "id": "server_side_request_forgery_ssrf",
632
+ "children": [
633
+ {
634
+ "id": "internal_high_impact",
635
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
636
+ },
637
+ {
638
+ "id": "internal_scan_and_or_medium_impact",
639
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
640
+ },
641
+ {
642
+ "id": "external",
643
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
644
+ }
645
+ ]
646
+ },
647
+ {
648
+ "id": "username_enumeration",
649
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
650
+ }
651
+ ]
652
+ },
653
+ {
654
+ "id": "cross_site_request_forgery_csrf",
655
+ "children": [
656
+ {
657
+ "id": "application_wide",
658
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
659
+ },
660
+ {
661
+ "id": "action_specific",
662
+ "children": [
663
+ {
664
+ "id": "authenticated_action",
665
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
666
+ },
667
+ {
668
+ "id": "unauthenticated_action",
669
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
670
+ },
671
+ {
672
+ "id": "logout",
673
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
674
+ }
675
+ ]
676
+ },
677
+ {
678
+ "id": "csrf_token_not_unique_per_request",
679
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
680
+ },
681
+ {
682
+ "id": "flash_based",
683
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
684
+ }
685
+ ]
686
+ },
687
+ {
688
+ "id": "application_level_denial_of_service_dos",
689
+ "children": [
690
+ {
691
+ "id": "critical_impact_and_or_easy_difficulty",
692
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
693
+ },
694
+ {
695
+ "id": "high_impact_and_or_medium_difficulty",
696
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
697
+ },
698
+ {
699
+ "id": "app_crash",
700
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
701
+ }
702
+ ]
703
+ },
704
+ {
705
+ "id": "unvalidated_redirects_and_forwards",
706
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
707
+ "children": [
708
+ {
709
+ "id": "open_redirect",
710
+ "children": [
711
+ {
712
+ "id": "get_based",
713
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
714
+ }
715
+ ]
716
+ }
717
+ ]
718
+ },
719
+ {
720
+ "id": "external_behavior",
721
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
722
+ },
723
+ {
724
+ "id": "insufficient_security_configurability",
725
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
726
+ "children": [
727
+ {
728
+ "id": "no_password_policy",
729
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
730
+ },
731
+ {
732
+ "id": "weak_password_reset_implementation",
733
+ "children": [
734
+ {
735
+ "id": "token_is_not_invalidated_after_use",
736
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
737
+ }
738
+ ]
739
+ },
740
+ {
741
+ "id": "weak_two_fa_implementation",
742
+ "children": [
743
+ {
744
+ "id": "two_fa_secret_cannot_be_rotated",
745
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
746
+ },
747
+ {
748
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
749
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
750
+ }
751
+ ]
752
+ }
753
+ ]
754
+ },
755
+ {
756
+ "id": "using_components_with_known_vulnerabilities",
757
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
758
+ "children": [
759
+ {
760
+ "id": "rosetta_flash",
761
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
762
+ }
763
+ ]
764
+ },
765
+ {
766
+ "id": "insecure_data_storage",
767
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
768
+ "children": [
769
+ {
770
+ "id": "sensitive_application_data_stored_unencrypted",
771
+ "children": [
772
+ {
773
+ "id": "on_external_storage",
774
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
775
+ }
776
+ ]
777
+ },
778
+ {
779
+ "id": "server_side_credentials_storage",
780
+ "children": [
781
+ {
782
+ "id": "plaintext",
783
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
784
+ }
785
+ ]
786
+ }
787
+ ]
788
+ },
789
+ {
790
+ "id": "lack_of_binary_hardening",
791
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
792
+ },
793
+ {
794
+ "id": "insecure_data_transport",
795
+ "children": [
796
+ {
797
+ "id": "cleartext_transmission_of_sensitive_data",
798
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
799
+ },
800
+ {
801
+ "id": "executable_download",
802
+ "children": [
803
+ {
804
+ "id": "no_secure_integrity_check",
805
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
806
+ },
807
+ {
808
+ "id": "secure_integrity_check",
809
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
810
+ }
811
+ ]
812
+ }
813
+ ]
814
+ },
815
+ {
816
+ "id": "insecure_os_firmware",
817
+ "children": [
818
+ {
819
+ "id": "command_injection",
820
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
821
+ },
822
+ {
823
+ "id": "hardcoded_password",
824
+ "children": [
825
+ {
826
+ "id": "privileged_user",
827
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
828
+ },
829
+ {
830
+ "id": "non_privileged_user",
831
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
832
+ }
833
+ ]
834
+ }
835
+ ]
836
+ },
837
+ {
838
+ "id": "broken_cryptography",
839
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
840
+ },
841
+ {
842
+ "id": "privacy_concerns",
843
+ "children": [
844
+ {
845
+ "id": "unnecessary_data_collection",
846
+ "children": [
847
+ {
848
+ "id": "wifi_ssid_password",
849
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
850
+ }
851
+ ]
852
+ }
853
+ ]
854
+ },
855
+ {
856
+ "id": "network_security_misconfiguration",
857
+ "children": [
858
+ {
859
+ "id": "telnet_enabled",
860
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
861
+ }
862
+ ]
863
+ },
864
+ {
865
+ "id": "mobile_security_misconfiguration",
866
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
867
+ "children": [
868
+ {
869
+ "id": "clipboard_enabled",
870
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
871
+ },
872
+ {
873
+ "id": "auto_backup_allowed_by_default",
874
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
875
+ }
876
+ ]
877
+ },
878
+ {
879
+ "id": "client_side_injection",
880
+ "children": [
881
+ {
882
+ "id": "binary_planting",
883
+ "children": [
884
+ {
885
+ "id": "privilege_escalation",
886
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
887
+ },
888
+ {
889
+ "id": "non_default_folder_privilege_escalation",
890
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
891
+ },
892
+ {
893
+ "id": "no_privilege_escalation",
894
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
895
+ }
896
+ ]
897
+ }
898
+ ]
899
+ },
900
+ {
901
+ "id": "automotive_security_misconfiguration",
902
+ "children": [
903
+ {
904
+ "id": "infotainment_radio_head_unit",
905
+ "children": [
906
+ {
907
+ "id": "pii_leakage",
908
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
909
+ },
910
+ {
911
+ "id": "ota_firmware_manipulation",
912
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
913
+ },
914
+ {
915
+ "id": "code_execution_can_bus_pivot",
916
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
917
+ },
918
+ {
919
+ "id": "code_execution_no_can_bus_pivot",
920
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
921
+ },
922
+ {
923
+ "id": "unauthorized_access_to_services",
924
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
925
+ },
926
+ {
927
+ "id": "source_code_dump",
928
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
929
+ },
930
+ {
931
+ "id": "dos_brick",
932
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
933
+ },
934
+ {
935
+ "id": "default_credentials",
936
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
937
+ }
938
+ ]
939
+ },
940
+ {
941
+ "id": "rf_hub",
942
+ "children": [
943
+ {
944
+ "id": "key_fob_cloning",
945
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
946
+ },
947
+ {
948
+ "id": "can_injection_interaction",
949
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
950
+ },
951
+ {
952
+ "id": "data_leakage_pull_encryption_mechanism",
953
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
954
+ },
955
+ {
956
+ "id": "unauthorized_access_turn_on",
957
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
958
+ },
959
+ {
960
+ "id": "roll_jam",
961
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
962
+ },
963
+ {
964
+ "id": "replay",
965
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
966
+ },
967
+ {
968
+ "id": "relay",
969
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
970
+ }
971
+ ]
972
+ },
973
+ {
974
+ "id": "can",
975
+ "children": [
976
+ {
977
+ "id": "injection_battery_management_system",
978
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
979
+ },
980
+ {
981
+ "id": "injection_steering_control",
982
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
983
+ },
984
+ {
985
+ "id": "injection_pyrotechnical_device_deployment_tool",
986
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
987
+ },
988
+ {
989
+ "id": "injection_headlights",
990
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
991
+ },
992
+ {
993
+ "id": "injection_sensors",
994
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
995
+ },
996
+ {
997
+ "id": "injection_vehicle_anti_theft_systems",
998
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
999
+ },
1000
+ {
1001
+ "id": "injection_powertrain",
1002
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1003
+ },
1004
+ {
1005
+ "id": "injection_basic_safety_message",
1006
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1007
+ },
1008
+ {
1009
+ "id": "injection_disallowed_messages",
1010
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1011
+ },
1012
+ {
1013
+ "id": "injection_dos",
1014
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1015
+ }
1016
+ ]
1017
+ },
1018
+ {
1019
+ "id": "battery_management_system",
1020
+ "children": [
1021
+ {
1022
+ "id": "firmware_dump",
1023
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
1024
+ },
1025
+ {
1026
+ "id": "fraudulent_interface",
1027
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
1028
+ }
1029
+ ]
1030
+ },
1031
+ {
1032
+ "id": "gnss_gps",
1033
+ "children": [
1034
+ {
1035
+ "id": "spoofing",
1036
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1037
+ }
1038
+ ]
1039
+ },
1040
+ {
1041
+ "id": "immobilizer",
1042
+ "children": [
1043
+ {
1044
+ "id": "engine_start",
1045
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1046
+ }
1047
+ ]
1048
+ },
1049
+ {
1050
+ "id": "abs",
1051
+ "children": [
1052
+ {
1053
+ "id": "unintended_acceleration_brake",
1054
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1055
+ }
1056
+ ]
1057
+ },
1058
+ {
1059
+ "id": "rsu",
1060
+ "children": [
1061
+ {
1062
+ "id": "sybil_attack",
1063
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1064
+ }
1065
+ ]
1066
+ }
1067
+ ]
1068
+ },
1069
+ {
1070
+ "id": "indicators_of_compromise",
1071
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1072
+ }
1073
+ ]
1074
+ }