vrt 0.11.0 → 0.12.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (27) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.11/deprecated-node-mapping.json +236 -0
  3. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.json +1250 -0
  4. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.11/mappings/cwe/cwe.json +664 -0
  6. data/lib/data/1.11/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.json +1811 -0
  8. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.11/third-party-mappings/remediation_training/secure-code-warrior-links.json +392 -0
  10. data/lib/data/1.11/vrt.schema.json +63 -0
  11. data/lib/data/1.11/vulnerability-rating-taxonomy.json +2442 -0
  12. data/lib/data/1.12/deprecated-node-mapping.json +236 -0
  13. data/lib/data/1.12/mappings/cvss_v3/cvss_v3.json +1280 -0
  14. data/lib/data/1.12/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.12/mappings/cwe/cwe.json +668 -0
  16. data/lib/data/1.12/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.12/mappings/remediation_advice/remediation_advice.json +1850 -0
  18. data/lib/data/1.12/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.12/third-party-mappings/remediation_training/secure-code-warrior-links.json +400 -0
  20. data/lib/data/1.12/vrt.schema.json +63 -0
  21. data/lib/data/1.12/vulnerability-rating-taxonomy.json +2493 -0
  22. data/lib/vrt/mapping.rb +12 -6
  23. data/lib/vrt/node.rb +4 -0
  24. data/lib/vrt/third_party_links.rb +33 -0
  25. data/lib/vrt/version.rb +1 -1
  26. data/lib/vrt.rb +8 -0
  27. metadata +28 -7
@@ -0,0 +1,1280 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "children": [
9
+ {
10
+ "id": "server_side_request_forgery_ssrf",
11
+ "children": [
12
+ {
13
+ "id": "internal_high_impact",
14
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
15
+ },
16
+ {
17
+ "id": "internal_scan_and_or_medium_impact",
18
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
19
+ },
20
+ {
21
+ "id": "external_low_impact",
22
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
23
+ },
24
+ {
25
+ "id": "external_dns_query_only",
26
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
27
+ }
28
+ ]
29
+ },
30
+ {
31
+ "id": "unsafe_cross_origin_resource_sharing",
32
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
33
+ },
34
+ {
35
+ "id": "request_smuggling",
36
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
37
+ },
38
+ {
39
+ "id": "path_traversal",
40
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
41
+ },
42
+ {
43
+ "id": "directory_listing_enabled",
44
+ "children": [
45
+ {
46
+ "id": "sensitive_data_exposure",
47
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
48
+ },
49
+ {
50
+ "id": "non_sensitive_data_exposure",
51
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
52
+ }
53
+ ]
54
+ },
55
+ {
56
+ "id": "same_site_scripting",
57
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
58
+ },
59
+ {
60
+ "id": "ssl_attack_breach_poodle_etc",
61
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
62
+ },
63
+ {
64
+ "id": "using_default_credentials",
65
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
66
+ },
67
+ {
68
+ "id": "misconfigured_dns",
69
+ "children": [
70
+ {
71
+ "id": "basic_subdomain_takeover",
72
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
73
+ },
74
+ {
75
+ "id": "high_impact_subdomain_takeover",
76
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
77
+ },
78
+ {
79
+ "id": "zone_transfer",
80
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
81
+ },
82
+ {
83
+ "id": "missing_caa_record",
84
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
85
+ }
86
+ ]
87
+ },
88
+ {
89
+ "id": "mail_server_misconfiguration",
90
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
91
+ "children": [
92
+ {
93
+ "id": "no_spoofing_protection_on_email_domain",
94
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
95
+ },
96
+ {
97
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
98
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
99
+ }
100
+ ]
101
+ },
102
+ {
103
+ "id": "dbms_misconfiguration",
104
+ "children": [
105
+ {
106
+ "id": "excessively_privileged_user_dba",
107
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
108
+ }
109
+ ]
110
+ },
111
+ {
112
+ "id": "lack_of_password_confirmation",
113
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
114
+ "children": [
115
+ {
116
+ "id": "manage_two_fa",
117
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
118
+ }
119
+ ]
120
+ },
121
+ {
122
+ "id": "no_rate_limiting_on_form",
123
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
124
+ "children": [
125
+ {
126
+ "id": "login",
127
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
128
+ },
129
+ {
130
+ "id": "change_password",
131
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
132
+ }
133
+ ]
134
+ },
135
+ {
136
+ "id": "unsafe_file_upload",
137
+ "children": [
138
+ {
139
+ "id": "no_antivirus",
140
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
141
+ },
142
+ {
143
+ "id": "no_size_limit",
144
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
145
+ },
146
+ {
147
+ "id": "file_extension_filter_bypass",
148
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
149
+ }
150
+ ]
151
+ },
152
+ {
153
+ "id": "cookie_scoped_to_parent_domain",
154
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
155
+ },
156
+ {
157
+ "id": "missing_secure_or_httponly_cookie_flag",
158
+ "children": [
159
+ {
160
+ "id": "session_token",
161
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
162
+ },
163
+ {
164
+ "id": "non_session_cookie",
165
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
166
+ }
167
+ ]
168
+ },
169
+ {
170
+ "id": "clickjacking",
171
+ "children": [
172
+ {
173
+ "id": "sensitive_action",
174
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
175
+ },
176
+ {
177
+ "id": "form_input",
178
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
179
+ },
180
+ {
181
+ "id": "non_sensitive_action",
182
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
183
+ }
184
+ ]
185
+ },
186
+ {
187
+ "id": "oauth_misconfiguration",
188
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
189
+ "children": [
190
+ {
191
+ "id": "account_takeover",
192
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
193
+ },
194
+ {
195
+ "id": "account_squatting",
196
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
197
+ }
198
+ ]
199
+ },
200
+ {
201
+ "id": "captcha",
202
+ "children": [
203
+ {
204
+ "id": "implementation_vulnerability",
205
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
206
+ },
207
+ {
208
+ "id": "brute_force",
209
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
210
+ },
211
+ {
212
+ "id": "missing",
213
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
214
+ }
215
+ ]
216
+ },
217
+ {
218
+ "id": "exposed_admin_portal",
219
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
220
+ },
221
+ {
222
+ "id": "missing_dnssec",
223
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
224
+ },
225
+ {
226
+ "id": "fingerprinting_banner_disclosure",
227
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
228
+ },
229
+ {
230
+ "id": "username_enumeration",
231
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
232
+ },
233
+ {
234
+ "id": "potentially_unsafe_http_method_enabled",
235
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
236
+ },
237
+ {
238
+ "id": "insecure_ssl",
239
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
240
+ },
241
+ {
242
+ "id": "rfd",
243
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
244
+ },
245
+ {
246
+ "id": "lack_of_security_headers",
247
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
248
+ "children": [
249
+ {
250
+ "id": "cache_control_for_a_sensitive_page",
251
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
252
+ }
253
+ ]
254
+ },
255
+ {
256
+ "id": "waf_bypass",
257
+ "children": [
258
+ {
259
+ "id": "direct_server_access",
260
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
261
+ }
262
+ ]
263
+ },
264
+ {
265
+ "id": "race_condition",
266
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
267
+ },
268
+ {
269
+ "id": "cache_poisoning",
270
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
271
+ },
272
+ {
273
+ "id": "bitsquatting",
274
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
275
+ }
276
+ ]
277
+ },
278
+ {
279
+ "id": "server_side_injection",
280
+ "children": [
281
+ {
282
+ "id": "file_inclusion",
283
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
284
+ },
285
+ {
286
+ "id": "parameter_pollution",
287
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
288
+ },
289
+ {
290
+ "id": "remote_code_execution_rce",
291
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
292
+ },
293
+ {
294
+ "id": "ldap_injection",
295
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
296
+ },
297
+ {
298
+ "id": "sql_injection",
299
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
300
+ },
301
+ {
302
+ "id": "xml_external_entity_injection_xxe",
303
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
304
+ },
305
+ {
306
+ "id": "http_response_manipulation",
307
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
308
+ },
309
+ {
310
+ "id": "content_spoofing",
311
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
312
+ "children": [
313
+ {
314
+ "id": "iframe_injection",
315
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
316
+ },
317
+ {
318
+ "id": "impersonation_via_broken_link_hijacking",
319
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
320
+ },
321
+ {
322
+ "id": "external_authentication_injection",
323
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
324
+ },
325
+ {
326
+ "id": "flash_based_external_authentication_injection",
327
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
328
+ },
329
+ {
330
+ "id": "html_content_injection",
331
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
332
+ },
333
+ {
334
+ "id": "email_html_injection",
335
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
336
+ }
337
+ ]
338
+ },
339
+ {
340
+ "id": "ssti",
341
+ "children": [
342
+ {
343
+ "id": "basic",
344
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
345
+ },
346
+ {
347
+ "id": "custom",
348
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
349
+ }
350
+ ]
351
+ }
352
+ ]
353
+ },
354
+ {
355
+ "id": "broken_authentication_and_session_management",
356
+ "children": [
357
+ {
358
+ "id": "authentication_bypass",
359
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
360
+ },
361
+ {
362
+ "id": "two_fa_bypass",
363
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
364
+ },
365
+ {
366
+ "id": "privilege_escalation",
367
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
368
+ },
369
+ {
370
+ "id": "cleartext_transmission_of_session_token",
371
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
372
+ },
373
+ {
374
+ "id": "weak_login_function",
375
+ "children": [
376
+ {
377
+ "id": "not_operational",
378
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
379
+ },
380
+ {
381
+ "id": "other_plaintext_protocol_no_secure_alternative",
382
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
383
+ },
384
+ {
385
+ "id": "over_http",
386
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
387
+ }
388
+ ]
389
+ },
390
+ {
391
+ "id": "session_fixation",
392
+ "children": [
393
+ {
394
+ "id": "remote_attack_vector",
395
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
396
+ },
397
+ {
398
+ "id": "local_attack_vector",
399
+ "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
400
+ }
401
+ ]
402
+ },
403
+ {
404
+ "id": "failure_to_invalidate_session",
405
+ "children": [
406
+ {
407
+ "id": "on_logout",
408
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
409
+ },
410
+ {
411
+ "id": "permission_change",
412
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
413
+ },
414
+ {
415
+ "id": "on_logout_server_side_only",
416
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
417
+ },
418
+ {
419
+ "id": "on_password_change",
420
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
421
+ },
422
+ {
423
+ "id": "all_sessions",
424
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
425
+ },
426
+ {
427
+ "id": "on_email_change",
428
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
429
+ },
430
+ {
431
+ "id": "on_two_fa_activation_change",
432
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
433
+ },
434
+ {
435
+ "id": "long_timeout",
436
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
437
+ }
438
+ ]
439
+ },
440
+ {
441
+ "id": "concurrent_logins",
442
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
443
+ },
444
+ {
445
+ "id": "weak_registration_implementation",
446
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
447
+ }
448
+ ]
449
+ },
450
+ {
451
+ "id": "sensitive_data_exposure",
452
+ "children": [
453
+ {
454
+ "id": "disclosure_of_secrets",
455
+ "children": [
456
+ {
457
+ "id": "for_publicly_accessible_asset",
458
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
459
+ },
460
+ {
461
+ "id": "pii_leakage_exposure",
462
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
463
+ },
464
+ {
465
+ "id": "for_internal_asset",
466
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
467
+ },
468
+ {
469
+ "id": "pay_per_use_abuse",
470
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
471
+ },
472
+ {
473
+ "id": "intentionally_public_sample_or_invalid",
474
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
475
+ },
476
+ {
477
+ "id": "data_traffic_spam",
478
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
479
+ },
480
+ {
481
+ "id": "non_corporate_user",
482
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
483
+ }
484
+ ]
485
+ },
486
+ {
487
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
488
+ "children": [
489
+ {
490
+ "id": "automatic_user_enumeration",
491
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
492
+ },
493
+ {
494
+ "id": "manual_user_enumeration",
495
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
496
+ }
497
+ ]
498
+ },
499
+ {
500
+ "id": "visible_detailed_error_page",
501
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
502
+ "children": [
503
+ {
504
+ "id": "detailed_server_configuration",
505
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
506
+ }
507
+ ]
508
+ },
509
+ {
510
+ "id": "disclosure_of_known_public_information",
511
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
512
+ },
513
+ {
514
+ "id": "token_leakage_via_referer",
515
+ "children": [
516
+ {
517
+ "id": "trusted_third_party",
518
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
519
+ },
520
+ {
521
+ "id": "untrusted_third_party",
522
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
523
+ },
524
+ {
525
+ "id": "over_http",
526
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
527
+ }
528
+ ]
529
+ },
530
+ {
531
+ "id": "sensitive_token_in_url",
532
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
533
+ },
534
+ {
535
+ "id": "non_sensitive_token_in_url",
536
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
537
+ },
538
+ {
539
+ "id": "weak_password_reset_implementation",
540
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
541
+ "children": [
542
+ {
543
+ "id": "token_leakage_via_host_header_poisoning",
544
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
545
+ }
546
+ ]
547
+ },
548
+ {
549
+ "id": "mixed_content",
550
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
551
+ },
552
+ {
553
+ "id": "sensitive_data_hardcoded",
554
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
555
+ },
556
+ {
557
+ "id": "internal_ip_disclosure",
558
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
559
+ },
560
+ {
561
+ "id": "xssi",
562
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
563
+ },
564
+ {
565
+ "id": "json_hijacking",
566
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
567
+ },
568
+ {
569
+ "id": "via_localstorage_sessionstorage",
570
+ "children": [
571
+ {
572
+ "id": "sensitive_token",
573
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
574
+ },
575
+ {
576
+ "id": "non_sensitive_token",
577
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
578
+ }
579
+ ]
580
+ }
581
+ ]
582
+ },
583
+ {
584
+ "id": "cross_site_scripting_xss",
585
+ "children": [
586
+ {
587
+ "id": "stored",
588
+ "children": [
589
+ {
590
+ "id": "non_admin_to_anyone",
591
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
592
+ },
593
+ {
594
+ "id": "privileged_user_to_privilege_elevation",
595
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
596
+ },
597
+ {
598
+ "id": "privileged_user_to_no_privilege_elevation",
599
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
600
+ },
601
+ {
602
+ "id": "url_based",
603
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
604
+ },
605
+ {
606
+ "id": "self",
607
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
608
+ }
609
+ ]
610
+ },
611
+ {
612
+ "id": "reflected",
613
+ "children": [
614
+ {
615
+ "id": "non_self",
616
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
617
+ },
618
+ {
619
+ "id": "self",
620
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
621
+ }
622
+ ]
623
+ },
624
+ {
625
+ "id": "flash_based",
626
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
627
+ },
628
+ {
629
+ "id": "cookie_based",
630
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
631
+ },
632
+ {
633
+ "id": "ie_only",
634
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
635
+ },
636
+ {
637
+ "id": "referer",
638
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
639
+ },
640
+ {
641
+ "id": "trace_method",
642
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
643
+ },
644
+ {
645
+ "id": "universal_uxss",
646
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
647
+ },
648
+ {
649
+ "id": "off_domain",
650
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
651
+ }
652
+ ]
653
+ },
654
+ {
655
+ "id": "broken_access_control",
656
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
657
+ "children": [
658
+ {
659
+ "id": "username_enumeration",
660
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
661
+ }
662
+ ]
663
+ },
664
+ {
665
+ "id": "cross_site_request_forgery_csrf",
666
+ "children": [
667
+ {
668
+ "id": "application_wide",
669
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
670
+ },
671
+ {
672
+ "id": "action_specific",
673
+ "children": [
674
+ {
675
+ "id": "authenticated_action",
676
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
677
+ },
678
+ {
679
+ "id": "unauthenticated_action",
680
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
681
+ },
682
+ {
683
+ "id": "logout",
684
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
685
+ }
686
+ ]
687
+ },
688
+ {
689
+ "id": "csrf_token_not_unique_per_request",
690
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
691
+ },
692
+ {
693
+ "id": "flash_based",
694
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
695
+ }
696
+ ]
697
+ },
698
+ {
699
+ "id": "application_level_denial_of_service_dos",
700
+ "children": [
701
+ {
702
+ "id": "critical_impact_and_or_easy_difficulty",
703
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
704
+ },
705
+ {
706
+ "id": "high_impact_and_or_medium_difficulty",
707
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
708
+ },
709
+ {
710
+ "id": "app_crash",
711
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
712
+ },
713
+ {
714
+ "id": "excessive_resource_consumption",
715
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H"
716
+ }
717
+ ]
718
+ },
719
+ {
720
+ "id": "unvalidated_redirects_and_forwards",
721
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
722
+ "children": [
723
+ {
724
+ "id": "open_redirect",
725
+ "children": [
726
+ {
727
+ "id": "get_based",
728
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
729
+ }
730
+ ]
731
+ }
732
+ ]
733
+ },
734
+ {
735
+ "id": "external_behavior",
736
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
737
+ },
738
+ {
739
+ "id": "insufficient_security_configurability",
740
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
741
+ "children": [
742
+ {
743
+ "id": "no_password_policy",
744
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
745
+ },
746
+ {
747
+ "id": "weak_password_reset_implementation",
748
+ "children": [
749
+ {
750
+ "id": "token_is_not_invalidated_after_use",
751
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
752
+ }
753
+ ]
754
+ },
755
+ {
756
+ "id": "weak_two_fa_implementation",
757
+ "children": [
758
+ {
759
+ "id": "two_fa_secret_cannot_be_rotated",
760
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
761
+ },
762
+ {
763
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
764
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
765
+ }
766
+ ]
767
+ }
768
+ ]
769
+ },
770
+ {
771
+ "id": "using_components_with_known_vulnerabilities",
772
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
773
+ "children": [
774
+ {
775
+ "id": "rosetta_flash",
776
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
777
+ }
778
+ ]
779
+ },
780
+ {
781
+ "id": "insecure_data_storage",
782
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
783
+ "children": [
784
+ {
785
+ "id": "sensitive_application_data_stored_unencrypted",
786
+ "children": [
787
+ {
788
+ "id": "on_external_storage",
789
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
790
+ }
791
+ ]
792
+ },
793
+ {
794
+ "id": "server_side_credentials_storage",
795
+ "children": [
796
+ {
797
+ "id": "plaintext",
798
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
799
+ }
800
+ ]
801
+ }
802
+ ]
803
+ },
804
+ {
805
+ "id": "lack_of_binary_hardening",
806
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
807
+ },
808
+ {
809
+ "id": "insecure_data_transport",
810
+ "children": [
811
+ {
812
+ "id": "cleartext_transmission_of_sensitive_data",
813
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
814
+ },
815
+ {
816
+ "id": "executable_download",
817
+ "children": [
818
+ {
819
+ "id": "no_secure_integrity_check",
820
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
821
+ },
822
+ {
823
+ "id": "secure_integrity_check",
824
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
825
+ }
826
+ ]
827
+ }
828
+ ]
829
+ },
830
+ {
831
+ "id": "insecure_os_firmware",
832
+ "children": [
833
+ {
834
+ "id": "command_injection",
835
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
836
+ },
837
+ {
838
+ "id": "hardcoded_password",
839
+ "children": [
840
+ {
841
+ "id": "privileged_user",
842
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
843
+ },
844
+ {
845
+ "id": "non_privileged_user",
846
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
847
+ }
848
+ ]
849
+ }
850
+ ]
851
+ },
852
+ {
853
+ "id": "cryptographic_weakness",
854
+ "children": [
855
+ {
856
+ "id": "insufficient_entropy",
857
+ "children": [
858
+ {
859
+ "id": "limited_rng_entropy_source",
860
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
861
+ },
862
+ {
863
+ "id": "use_of_trng_for_nonsecurity_purpose",
864
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
865
+ },
866
+ {
867
+ "id": "prng_seed_reuse",
868
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
869
+ },
870
+ {
871
+ "id": "predictable_prng_seed",
872
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
873
+ },
874
+ {
875
+ "id": "small_seed_space_in_prng",
876
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
877
+ },
878
+ {
879
+ "id": "initialization_vector_reuse",
880
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
881
+ },
882
+ {
883
+ "id": "predictable_initialization_vector",
884
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
885
+ }
886
+ ]
887
+ },
888
+ {
889
+ "id": "insecure_implementation",
890
+ "children": [
891
+ {
892
+ "id": "missing_cryptographic_step",
893
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
894
+ },
895
+ {
896
+ "id": "improper_following_of_specification",
897
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
898
+ }
899
+ ]
900
+ },
901
+ {
902
+ "id": "weak_hash",
903
+ "children": [
904
+ {
905
+ "id": "lack_of_salt",
906
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
907
+ },
908
+ {
909
+ "id": "use_of_predictable_salt",
910
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
911
+ },
912
+ {
913
+ "id": "predictable_hash_collision",
914
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
915
+ }
916
+ ]
917
+ },
918
+ {
919
+ "id": "insufficient_verification_of_data_authenticity",
920
+ "children": [
921
+ {
922
+ "id": "identity_check_value",
923
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
924
+ },
925
+ {
926
+ "id": "cryptographic_signature",
927
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
928
+ }
929
+ ]
930
+ },
931
+ {
932
+ "id": "insecure_key_generation",
933
+ "children": [
934
+ {
935
+ "id": "improper_asymmetric_prime_selection",
936
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
937
+ },
938
+ {
939
+ "id": "improper_asymmetric_exponent_selection",
940
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
941
+ },
942
+ {
943
+ "id": "insufficient_key_stretching",
944
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
945
+ },
946
+ {
947
+ "id": "insufficient_key_space",
948
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
949
+ },
950
+ {
951
+ "id": "key_exchange_without_entity_authentication",
952
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
953
+ }
954
+ ]
955
+ },
956
+ {
957
+ "id": "key_reuse",
958
+ "children": [
959
+ {
960
+ "id": "lack_of_perfect_forward_secrecy",
961
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
962
+ },
963
+ {
964
+ "id": "intra_environment",
965
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
966
+ },
967
+ {
968
+ "id": "inter_environment",
969
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
970
+ }
971
+ ]
972
+ },
973
+ {
974
+ "id": "broken_cryptography",
975
+ "children": [
976
+ {
977
+ "id": "use_of_broken_cryptographic_primitive",
978
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
979
+ },
980
+ {
981
+ "id": "use_of_vulnerable_cryptographic_library",
982
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
983
+ }
984
+ ]
985
+ },
986
+ {
987
+ "id": "side_channel_attack",
988
+ "children": [
989
+ {
990
+ "id": "padding_oracle_attack",
991
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
992
+ },
993
+ {
994
+ "id": "timing_attack",
995
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
996
+ },
997
+ {
998
+ "id": "power_analysis_attack",
999
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1000
+ },
1001
+ {
1002
+ "id": "emanations_attack",
1003
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1004
+ },
1005
+ {
1006
+ "id": "differential_fault_analysis",
1007
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1008
+ }
1009
+ ]
1010
+ },
1011
+ {
1012
+ "id": "use_of_expired_cryptographic_key_or_cert",
1013
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
1014
+ },
1015
+ {
1016
+ "id": "incomplete_cleanup_of_keying_material",
1017
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"
1018
+ }
1019
+ ]
1020
+ },
1021
+ {
1022
+ "id": "privacy_concerns",
1023
+ "children": [
1024
+ {
1025
+ "id": "unnecessary_data_collection",
1026
+ "children": [
1027
+ {
1028
+ "id": "wifi_ssid_password",
1029
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1030
+ }
1031
+ ]
1032
+ }
1033
+ ]
1034
+ },
1035
+ {
1036
+ "id": "network_security_misconfiguration",
1037
+ "children": [
1038
+ {
1039
+ "id": "telnet_enabled",
1040
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1041
+ }
1042
+ ]
1043
+ },
1044
+ {
1045
+ "id": "mobile_security_misconfiguration",
1046
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1047
+ "children": [
1048
+ {
1049
+ "id": "clipboard_enabled",
1050
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
1051
+ },
1052
+ {
1053
+ "id": "auto_backup_allowed_by_default",
1054
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
1055
+ }
1056
+ ]
1057
+ },
1058
+ {
1059
+ "id": "client_side_injection",
1060
+ "children": [
1061
+ {
1062
+ "id": "binary_planting",
1063
+ "children": [
1064
+ {
1065
+ "id": "privilege_escalation",
1066
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1067
+ },
1068
+ {
1069
+ "id": "non_default_folder_privilege_escalation",
1070
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
1071
+ },
1072
+ {
1073
+ "id": "no_privilege_escalation",
1074
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
1075
+ }
1076
+ ]
1077
+ }
1078
+ ]
1079
+ },
1080
+ {
1081
+ "id": "automotive_security_misconfiguration",
1082
+ "children": [
1083
+ {
1084
+ "id": "infotainment_radio_head_unit",
1085
+ "children": [
1086
+ {
1087
+ "id": "sensitive_data_leakage_exposure",
1088
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
1089
+ },
1090
+ {
1091
+ "id": "ota_firmware_manipulation",
1092
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1093
+ },
1094
+ {
1095
+ "id": "code_execution_can_bus_pivot",
1096
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
1097
+ },
1098
+ {
1099
+ "id": "code_execution_no_can_bus_pivot",
1100
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
1101
+ },
1102
+ {
1103
+ "id": "unauthorized_access_to_services",
1104
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
1105
+ },
1106
+ {
1107
+ "id": "source_code_dump",
1108
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
1109
+ },
1110
+ {
1111
+ "id": "dos_brick",
1112
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1113
+ },
1114
+ {
1115
+ "id": "default_credentials",
1116
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1117
+ }
1118
+ ]
1119
+ },
1120
+ {
1121
+ "id": "rf_hub",
1122
+ "children": [
1123
+ {
1124
+ "id": "key_fob_cloning",
1125
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
1126
+ },
1127
+ {
1128
+ "id": "can_injection_interaction",
1129
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1130
+ },
1131
+ {
1132
+ "id": "data_leakage_pull_encryption_mechanism",
1133
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
1134
+ },
1135
+ {
1136
+ "id": "unauthorized_access_turn_on",
1137
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
1138
+ },
1139
+ {
1140
+ "id": "roll_jam",
1141
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1142
+ },
1143
+ {
1144
+ "id": "replay",
1145
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1146
+ },
1147
+ {
1148
+ "id": "relay",
1149
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1150
+ }
1151
+ ]
1152
+ },
1153
+ {
1154
+ "id": "can",
1155
+ "children": [
1156
+ {
1157
+ "id": "injection_battery_management_system",
1158
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1159
+ },
1160
+ {
1161
+ "id": "injection_steering_control",
1162
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1163
+ },
1164
+ {
1165
+ "id": "injection_pyrotechnical_device_deployment_tool",
1166
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1167
+ },
1168
+ {
1169
+ "id": "injection_headlights",
1170
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1171
+ },
1172
+ {
1173
+ "id": "injection_sensors",
1174
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1175
+ },
1176
+ {
1177
+ "id": "injection_vehicle_anti_theft_systems",
1178
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1179
+ },
1180
+ {
1181
+ "id": "injection_powertrain",
1182
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1183
+ },
1184
+ {
1185
+ "id": "injection_basic_safety_message",
1186
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1187
+ },
1188
+ {
1189
+ "id": "injection_disallowed_messages",
1190
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1191
+ },
1192
+ {
1193
+ "id": "injection_dos",
1194
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1195
+ }
1196
+ ]
1197
+ },
1198
+ {
1199
+ "id": "battery_management_system",
1200
+ "children": [
1201
+ {
1202
+ "id": "firmware_dump",
1203
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
1204
+ },
1205
+ {
1206
+ "id": "fraudulent_interface",
1207
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
1208
+ }
1209
+ ]
1210
+ },
1211
+ {
1212
+ "id": "gnss_gps",
1213
+ "children": [
1214
+ {
1215
+ "id": "spoofing",
1216
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1217
+ }
1218
+ ]
1219
+ },
1220
+ {
1221
+ "id": "immobilizer",
1222
+ "children": [
1223
+ {
1224
+ "id": "engine_start",
1225
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1226
+ }
1227
+ ]
1228
+ },
1229
+ {
1230
+ "id": "abs",
1231
+ "children": [
1232
+ {
1233
+ "id": "unintended_acceleration_brake",
1234
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1235
+ }
1236
+ ]
1237
+ },
1238
+ {
1239
+ "id": "rsu",
1240
+ "children": [
1241
+ {
1242
+ "id": "sybil_attack",
1243
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1244
+ }
1245
+ ]
1246
+ }
1247
+ ]
1248
+ },
1249
+ {
1250
+ "id": "indicators_of_compromise",
1251
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1252
+ },
1253
+ {
1254
+ "id": "ai_application_security",
1255
+ "children": [
1256
+ {
1257
+ "id": "llm_security",
1258
+ "children": [
1259
+ {
1260
+ "id": "prompt_injection",
1261
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L"
1262
+ },
1263
+ {
1264
+ "id": "llm_output_handling",
1265
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L"
1266
+ },
1267
+ {
1268
+ "id": "training_data_poisoning",
1269
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
1270
+ },
1271
+ {
1272
+ "id": "excessive_agency_permission_manipulation",
1273
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
1274
+ }
1275
+ ]
1276
+ }
1277
+ ]
1278
+ }
1279
+ ]
1280
+ }