vrt 0.11.0 → 0.12.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (27) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.11/deprecated-node-mapping.json +236 -0
  3. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.json +1250 -0
  4. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.11/mappings/cwe/cwe.json +664 -0
  6. data/lib/data/1.11/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.json +1811 -0
  8. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.11/third-party-mappings/remediation_training/secure-code-warrior-links.json +392 -0
  10. data/lib/data/1.11/vrt.schema.json +63 -0
  11. data/lib/data/1.11/vulnerability-rating-taxonomy.json +2442 -0
  12. data/lib/data/1.12/deprecated-node-mapping.json +236 -0
  13. data/lib/data/1.12/mappings/cvss_v3/cvss_v3.json +1280 -0
  14. data/lib/data/1.12/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.12/mappings/cwe/cwe.json +668 -0
  16. data/lib/data/1.12/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.12/mappings/remediation_advice/remediation_advice.json +1850 -0
  18. data/lib/data/1.12/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.12/third-party-mappings/remediation_training/secure-code-warrior-links.json +400 -0
  20. data/lib/data/1.12/vrt.schema.json +63 -0
  21. data/lib/data/1.12/vulnerability-rating-taxonomy.json +2493 -0
  22. data/lib/vrt/mapping.rb +12 -6
  23. data/lib/vrt/node.rb +4 -0
  24. data/lib/vrt/third_party_links.rb +33 -0
  25. data/lib/vrt/version.rb +1 -1
  26. data/lib/vrt.rb +8 -0
  27. metadata +28 -7
@@ -0,0 +1,1250 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "children": [
9
+ {
10
+ "id": "server_side_request_forgery_ssrf",
11
+ "children": [
12
+ {
13
+ "id": "internal_high_impact",
14
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
15
+ },
16
+ {
17
+ "id": "internal_scan_and_or_medium_impact",
18
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
19
+ },
20
+ {
21
+ "id": "external_low_impact",
22
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
23
+ },
24
+ {
25
+ "id": "external_dns_query_only",
26
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
27
+ }
28
+ ]
29
+ },
30
+ {
31
+ "id": "unsafe_cross_origin_resource_sharing",
32
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
33
+ },
34
+ {
35
+ "id": "request_smuggling",
36
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
37
+ },
38
+ {
39
+ "id": "path_traversal",
40
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
41
+ },
42
+ {
43
+ "id": "directory_listing_enabled",
44
+ "children": [
45
+ {
46
+ "id": "sensitive_data_exposure",
47
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
48
+ },
49
+ {
50
+ "id": "non_sensitive_data_exposure",
51
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
52
+ }
53
+ ]
54
+ },
55
+ {
56
+ "id": "same_site_scripting",
57
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
58
+ },
59
+ {
60
+ "id": "ssl_attack_breach_poodle_etc",
61
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
62
+ },
63
+ {
64
+ "id": "using_default_credentials",
65
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
66
+ },
67
+ {
68
+ "id": "misconfigured_dns",
69
+ "children": [
70
+ {
71
+ "id": "basic_subdomain_takeover",
72
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
73
+ },
74
+ {
75
+ "id": "high_impact_subdomain_takeover",
76
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
77
+ },
78
+ {
79
+ "id": "zone_transfer",
80
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
81
+ },
82
+ {
83
+ "id": "missing_caa_record",
84
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
85
+ }
86
+ ]
87
+ },
88
+ {
89
+ "id": "mail_server_misconfiguration",
90
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
91
+ "children": [
92
+ {
93
+ "id": "no_spoofing_protection_on_email_domain",
94
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
95
+ },
96
+ {
97
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
98
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
99
+ }
100
+ ]
101
+ },
102
+ {
103
+ "id": "dbms_misconfiguration",
104
+ "children": [
105
+ {
106
+ "id": "excessively_privileged_user_dba",
107
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
108
+ }
109
+ ]
110
+ },
111
+ {
112
+ "id": "lack_of_password_confirmation",
113
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
114
+ "children": [
115
+ {
116
+ "id": "manage_two_fa",
117
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
118
+ }
119
+ ]
120
+ },
121
+ {
122
+ "id": "no_rate_limiting_on_form",
123
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
124
+ "children": [
125
+ {
126
+ "id": "login",
127
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
128
+ },
129
+ {
130
+ "id": "change_password",
131
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
132
+ }
133
+ ]
134
+ },
135
+ {
136
+ "id": "unsafe_file_upload",
137
+ "children": [
138
+ {
139
+ "id": "no_antivirus",
140
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
141
+ },
142
+ {
143
+ "id": "no_size_limit",
144
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
145
+ },
146
+ {
147
+ "id": "file_extension_filter_bypass",
148
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
149
+ }
150
+ ]
151
+ },
152
+ {
153
+ "id": "cookie_scoped_to_parent_domain",
154
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
155
+ },
156
+ {
157
+ "id": "missing_secure_or_httponly_cookie_flag",
158
+ "children": [
159
+ {
160
+ "id": "session_token",
161
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
162
+ },
163
+ {
164
+ "id": "non_session_cookie",
165
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
166
+ }
167
+ ]
168
+ },
169
+ {
170
+ "id": "clickjacking",
171
+ "children": [
172
+ {
173
+ "id": "sensitive_action",
174
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
175
+ },
176
+ {
177
+ "id": "form_input",
178
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
179
+ },
180
+ {
181
+ "id": "non_sensitive_action",
182
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
183
+ }
184
+ ]
185
+ },
186
+ {
187
+ "id": "oauth_misconfiguration",
188
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
189
+ "children": [
190
+ {
191
+ "id": "account_takeover",
192
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
193
+ },
194
+ {
195
+ "id": "account_squatting",
196
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
197
+ }
198
+ ]
199
+ },
200
+ {
201
+ "id": "captcha",
202
+ "children": [
203
+ {
204
+ "id": "implementation_vulnerability",
205
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
206
+ },
207
+ {
208
+ "id": "brute_force",
209
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
210
+ },
211
+ {
212
+ "id": "missing",
213
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
214
+ }
215
+ ]
216
+ },
217
+ {
218
+ "id": "exposed_admin_portal",
219
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
220
+ },
221
+ {
222
+ "id": "missing_dnssec",
223
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
224
+ },
225
+ {
226
+ "id": "fingerprinting_banner_disclosure",
227
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
228
+ },
229
+ {
230
+ "id": "username_enumeration",
231
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
232
+ },
233
+ {
234
+ "id": "potentially_unsafe_http_method_enabled",
235
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
236
+ },
237
+ {
238
+ "id": "insecure_ssl",
239
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
240
+ },
241
+ {
242
+ "id": "rfd",
243
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
244
+ },
245
+ {
246
+ "id": "lack_of_security_headers",
247
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
248
+ "children": [
249
+ {
250
+ "id": "cache_control_for_a_sensitive_page",
251
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
252
+ }
253
+ ]
254
+ },
255
+ {
256
+ "id": "waf_bypass",
257
+ "children": [
258
+ {
259
+ "id": "direct_server_access",
260
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
261
+ }
262
+ ]
263
+ },
264
+ {
265
+ "id": "race_condition",
266
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
267
+ },
268
+ {
269
+ "id": "cache_poisoning",
270
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
271
+ },
272
+ {
273
+ "id": "bitsquatting",
274
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
275
+ }
276
+ ]
277
+ },
278
+ {
279
+ "id": "server_side_injection",
280
+ "children": [
281
+ {
282
+ "id": "file_inclusion",
283
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
284
+ },
285
+ {
286
+ "id": "parameter_pollution",
287
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
288
+ },
289
+ {
290
+ "id": "remote_code_execution_rce",
291
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
292
+ },
293
+ {
294
+ "id": "ldap_injection",
295
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
296
+ },
297
+ {
298
+ "id": "sql_injection",
299
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
300
+ },
301
+ {
302
+ "id": "xml_external_entity_injection_xxe",
303
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
304
+ },
305
+ {
306
+ "id": "http_response_manipulation",
307
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
308
+ },
309
+ {
310
+ "id": "content_spoofing",
311
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
312
+ "children": [
313
+ {
314
+ "id": "iframe_injection",
315
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
316
+ },
317
+ {
318
+ "id": "impersonation_via_broken_link_hijacking",
319
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
320
+ },
321
+ {
322
+ "id": "external_authentication_injection",
323
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
324
+ },
325
+ {
326
+ "id": "flash_based_external_authentication_injection",
327
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
328
+ },
329
+ {
330
+ "id": "html_content_injection",
331
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
332
+ },
333
+ {
334
+ "id": "email_html_injection",
335
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
336
+ }
337
+ ]
338
+ },
339
+ {
340
+ "id": "ssti",
341
+ "children": [
342
+ {
343
+ "id": "basic",
344
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
345
+ },
346
+ {
347
+ "id": "custom",
348
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
349
+ }
350
+ ]
351
+ }
352
+ ]
353
+ },
354
+ {
355
+ "id": "broken_authentication_and_session_management",
356
+ "children": [
357
+ {
358
+ "id": "authentication_bypass",
359
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
360
+ },
361
+ {
362
+ "id": "two_fa_bypass",
363
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
364
+ },
365
+ {
366
+ "id": "privilege_escalation",
367
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
368
+ },
369
+ {
370
+ "id": "cleartext_transmission_of_session_token",
371
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
372
+ },
373
+ {
374
+ "id": "weak_login_function",
375
+ "children": [
376
+ {
377
+ "id": "not_operational",
378
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
379
+ },
380
+ {
381
+ "id": "other_plaintext_protocol_no_secure_alternative",
382
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
383
+ },
384
+ {
385
+ "id": "over_http",
386
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
387
+ }
388
+ ]
389
+ },
390
+ {
391
+ "id": "session_fixation",
392
+ "children": [
393
+ {
394
+ "id": "remote_attack_vector",
395
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
396
+ },
397
+ {
398
+ "id": "local_attack_vector",
399
+ "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
400
+ }
401
+ ]
402
+ },
403
+ {
404
+ "id": "failure_to_invalidate_session",
405
+ "children": [
406
+ {
407
+ "id": "on_logout",
408
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
409
+ },
410
+ {
411
+ "id": "permission_change",
412
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
413
+ },
414
+ {
415
+ "id": "on_logout_server_side_only",
416
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
417
+ },
418
+ {
419
+ "id": "on_password_change",
420
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
421
+ },
422
+ {
423
+ "id": "all_sessions",
424
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
425
+ },
426
+ {
427
+ "id": "on_email_change",
428
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
429
+ },
430
+ {
431
+ "id": "on_two_fa_activation_change",
432
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
433
+ },
434
+ {
435
+ "id": "long_timeout",
436
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
437
+ }
438
+ ]
439
+ },
440
+ {
441
+ "id": "concurrent_logins",
442
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
443
+ },
444
+ {
445
+ "id": "weak_registration_implementation",
446
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
447
+ }
448
+ ]
449
+ },
450
+ {
451
+ "id": "sensitive_data_exposure",
452
+ "children": [
453
+ {
454
+ "id": "disclosure_of_secrets",
455
+ "children": [
456
+ {
457
+ "id": "for_publicly_accessible_asset",
458
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
459
+ },
460
+ {
461
+ "id": "pii_leakage_exposure",
462
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
463
+ },
464
+ {
465
+ "id": "for_internal_asset",
466
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
467
+ },
468
+ {
469
+ "id": "pay_per_use_abuse",
470
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
471
+ },
472
+ {
473
+ "id": "intentionally_public_sample_or_invalid",
474
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
475
+ },
476
+ {
477
+ "id": "data_traffic_spam",
478
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
479
+ },
480
+ {
481
+ "id": "non_corporate_user",
482
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
483
+ }
484
+ ]
485
+ },
486
+ {
487
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
488
+ "children": [
489
+ {
490
+ "id": "automatic_user_enumeration",
491
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
492
+ },
493
+ {
494
+ "id": "manual_user_enumeration",
495
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
496
+ }
497
+ ]
498
+ },
499
+ {
500
+ "id": "visible_detailed_error_page",
501
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
502
+ "children": [
503
+ {
504
+ "id": "detailed_server_configuration",
505
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
506
+ }
507
+ ]
508
+ },
509
+ {
510
+ "id": "disclosure_of_known_public_information",
511
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
512
+ },
513
+ {
514
+ "id": "token_leakage_via_referer",
515
+ "children": [
516
+ {
517
+ "id": "trusted_third_party",
518
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
519
+ },
520
+ {
521
+ "id": "untrusted_third_party",
522
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
523
+ },
524
+ {
525
+ "id": "over_http",
526
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
527
+ }
528
+ ]
529
+ },
530
+ {
531
+ "id": "sensitive_token_in_url",
532
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
533
+ },
534
+ {
535
+ "id": "non_sensitive_token_in_url",
536
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
537
+ },
538
+ {
539
+ "id": "weak_password_reset_implementation",
540
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
541
+ "children": [
542
+ {
543
+ "id": "token_leakage_via_host_header_poisoning",
544
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
545
+ }
546
+ ]
547
+ },
548
+ {
549
+ "id": "mixed_content",
550
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
551
+ },
552
+ {
553
+ "id": "sensitive_data_hardcoded",
554
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
555
+ },
556
+ {
557
+ "id": "internal_ip_disclosure",
558
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
559
+ },
560
+ {
561
+ "id": "xssi",
562
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
563
+ },
564
+ {
565
+ "id": "json_hijacking",
566
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
567
+ },
568
+ {
569
+ "id": "via_localstorage_sessionstorage",
570
+ "children": [
571
+ {
572
+ "id": "sensitive_token",
573
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
574
+ },
575
+ {
576
+ "id": "non_sensitive_token",
577
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
578
+ }
579
+ ]
580
+ }
581
+ ]
582
+ },
583
+ {
584
+ "id": "cross_site_scripting_xss",
585
+ "children": [
586
+ {
587
+ "id": "stored",
588
+ "children": [
589
+ {
590
+ "id": "non_admin_to_anyone",
591
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
592
+ },
593
+ {
594
+ "id": "privileged_user_to_privilege_elevation",
595
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
596
+ },
597
+ {
598
+ "id": "privileged_user_to_no_privilege_elevation",
599
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
600
+ },
601
+ {
602
+ "id": "url_based",
603
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
604
+ },
605
+ {
606
+ "id": "self",
607
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
608
+ }
609
+ ]
610
+ },
611
+ {
612
+ "id": "reflected",
613
+ "children": [
614
+ {
615
+ "id": "non_self",
616
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
617
+ },
618
+ {
619
+ "id": "self",
620
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
621
+ }
622
+ ]
623
+ },
624
+ {
625
+ "id": "flash_based",
626
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
627
+ },
628
+ {
629
+ "id": "cookie_based",
630
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
631
+ },
632
+ {
633
+ "id": "ie_only",
634
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
635
+ },
636
+ {
637
+ "id": "referer",
638
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
639
+ },
640
+ {
641
+ "id": "trace_method",
642
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
643
+ },
644
+ {
645
+ "id": "universal_uxss",
646
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
647
+ },
648
+ {
649
+ "id": "off_domain",
650
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
651
+ }
652
+ ]
653
+ },
654
+ {
655
+ "id": "broken_access_control",
656
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
657
+ "children": [
658
+ {
659
+ "id": "username_enumeration",
660
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
661
+ }
662
+ ]
663
+ },
664
+ {
665
+ "id": "cross_site_request_forgery_csrf",
666
+ "children": [
667
+ {
668
+ "id": "application_wide",
669
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
670
+ },
671
+ {
672
+ "id": "action_specific",
673
+ "children": [
674
+ {
675
+ "id": "authenticated_action",
676
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
677
+ },
678
+ {
679
+ "id": "unauthenticated_action",
680
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
681
+ },
682
+ {
683
+ "id": "logout",
684
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
685
+ }
686
+ ]
687
+ },
688
+ {
689
+ "id": "csrf_token_not_unique_per_request",
690
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
691
+ },
692
+ {
693
+ "id": "flash_based",
694
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
695
+ }
696
+ ]
697
+ },
698
+ {
699
+ "id": "application_level_denial_of_service_dos",
700
+ "children": [
701
+ {
702
+ "id": "critical_impact_and_or_easy_difficulty",
703
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
704
+ },
705
+ {
706
+ "id": "high_impact_and_or_medium_difficulty",
707
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
708
+ },
709
+ {
710
+ "id": "app_crash",
711
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
712
+ }
713
+ ]
714
+ },
715
+ {
716
+ "id": "unvalidated_redirects_and_forwards",
717
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
718
+ "children": [
719
+ {
720
+ "id": "open_redirect",
721
+ "children": [
722
+ {
723
+ "id": "get_based",
724
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
725
+ }
726
+ ]
727
+ }
728
+ ]
729
+ },
730
+ {
731
+ "id": "external_behavior",
732
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
733
+ },
734
+ {
735
+ "id": "insufficient_security_configurability",
736
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
737
+ "children": [
738
+ {
739
+ "id": "no_password_policy",
740
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
741
+ },
742
+ {
743
+ "id": "weak_password_reset_implementation",
744
+ "children": [
745
+ {
746
+ "id": "token_is_not_invalidated_after_use",
747
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
748
+ }
749
+ ]
750
+ },
751
+ {
752
+ "id": "weak_two_fa_implementation",
753
+ "children": [
754
+ {
755
+ "id": "two_fa_secret_cannot_be_rotated",
756
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
757
+ },
758
+ {
759
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
760
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
761
+ }
762
+ ]
763
+ }
764
+ ]
765
+ },
766
+ {
767
+ "id": "using_components_with_known_vulnerabilities",
768
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
769
+ "children": [
770
+ {
771
+ "id": "rosetta_flash",
772
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
773
+ }
774
+ ]
775
+ },
776
+ {
777
+ "id": "insecure_data_storage",
778
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
779
+ "children": [
780
+ {
781
+ "id": "sensitive_application_data_stored_unencrypted",
782
+ "children": [
783
+ {
784
+ "id": "on_external_storage",
785
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
786
+ }
787
+ ]
788
+ },
789
+ {
790
+ "id": "server_side_credentials_storage",
791
+ "children": [
792
+ {
793
+ "id": "plaintext",
794
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
795
+ }
796
+ ]
797
+ }
798
+ ]
799
+ },
800
+ {
801
+ "id": "lack_of_binary_hardening",
802
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
803
+ },
804
+ {
805
+ "id": "insecure_data_transport",
806
+ "children": [
807
+ {
808
+ "id": "cleartext_transmission_of_sensitive_data",
809
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
810
+ },
811
+ {
812
+ "id": "executable_download",
813
+ "children": [
814
+ {
815
+ "id": "no_secure_integrity_check",
816
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
817
+ },
818
+ {
819
+ "id": "secure_integrity_check",
820
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
821
+ }
822
+ ]
823
+ }
824
+ ]
825
+ },
826
+ {
827
+ "id": "insecure_os_firmware",
828
+ "children": [
829
+ {
830
+ "id": "command_injection",
831
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
832
+ },
833
+ {
834
+ "id": "hardcoded_password",
835
+ "children": [
836
+ {
837
+ "id": "privileged_user",
838
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
839
+ },
840
+ {
841
+ "id": "non_privileged_user",
842
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
843
+ }
844
+ ]
845
+ }
846
+ ]
847
+ },
848
+ {
849
+ "id": "cryptographic_weakness",
850
+ "children": [
851
+ {
852
+ "id": "insufficient_entropy",
853
+ "children": [
854
+ {
855
+ "id": "limited_rng_entropy_source",
856
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
857
+ },
858
+ {
859
+ "id": "use_of_trng_for_nonsecurity_purpose",
860
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
861
+ },
862
+ {
863
+ "id": "prng_seed_reuse",
864
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
865
+ },
866
+ {
867
+ "id": "predictable_prng_seed",
868
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
869
+ },
870
+ {
871
+ "id": "small_seed_space_in_prng",
872
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
873
+ },
874
+ {
875
+ "id": "initialization_vector_reuse",
876
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
877
+ },
878
+ {
879
+ "id": "predictable_initialization_vector",
880
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
881
+ }
882
+ ]
883
+ },
884
+ {
885
+ "id": "insecure_implementation",
886
+ "children": [
887
+ {
888
+ "id": "missing_cryptographic_step",
889
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
890
+ },
891
+ {
892
+ "id": "improper_following_of_specification",
893
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
894
+ }
895
+ ]
896
+ },
897
+ {
898
+ "id": "weak_hash",
899
+ "children": [
900
+ {
901
+ "id": "lack_of_salt",
902
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
903
+ },
904
+ {
905
+ "id": "use_of_predictable_salt",
906
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
907
+ },
908
+ {
909
+ "id": "predictable_hash_collision",
910
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
911
+ }
912
+ ]
913
+ },
914
+ {
915
+ "id": "insufficient_verification_of_data_authenticity",
916
+ "children": [
917
+ {
918
+ "id": "identity_check_value",
919
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
920
+ },
921
+ {
922
+ "id": "cryptographic_signature",
923
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
924
+ }
925
+ ]
926
+ },
927
+ {
928
+ "id": "insecure_key_generation",
929
+ "children": [
930
+ {
931
+ "id": "improper_asymmetric_prime_selection",
932
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
933
+ },
934
+ {
935
+ "id": "improper_asymmetric_exponent_selection",
936
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
937
+ },
938
+ {
939
+ "id": "insufficient_key_stretching",
940
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
941
+ },
942
+ {
943
+ "id": "insufficient_key_space",
944
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
945
+ },
946
+ {
947
+ "id": "key_exchange_without_entity_authentication",
948
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
949
+ }
950
+ ]
951
+ },
952
+ {
953
+ "id": "key_reuse",
954
+ "children": [
955
+ {
956
+ "id": "lack_of_perfect_forward_secrecy",
957
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
958
+ },
959
+ {
960
+ "id": "intra_environment",
961
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
962
+ },
963
+ {
964
+ "id": "inter_environment",
965
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
966
+ }
967
+ ]
968
+ },
969
+ {
970
+ "id": "broken_cryptography",
971
+ "children": [
972
+ {
973
+ "id": "use_of_broken_cryptographic_primitive",
974
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
975
+ },
976
+ {
977
+ "id": "use_of_vulnerable_cryptographic_library",
978
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
979
+ }
980
+ ]
981
+ },
982
+ {
983
+ "id": "side_channel_attack",
984
+ "children": [
985
+ {
986
+ "id": "padding_oracle_attack",
987
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
988
+ },
989
+ {
990
+ "id": "timing_attack",
991
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
992
+ },
993
+ {
994
+ "id": "power_analysis_attack",
995
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
996
+ },
997
+ {
998
+ "id": "emanations_attack",
999
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1000
+ },
1001
+ {
1002
+ "id": "differential_fault_analysis",
1003
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1004
+ }
1005
+ ]
1006
+ },
1007
+ {
1008
+ "id": "use_of_expired_cryptographic_key_or_cert",
1009
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
1010
+ },
1011
+ {
1012
+ "id": "incomplete_cleanup_of_keying_material",
1013
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"
1014
+ }
1015
+ ]
1016
+ },
1017
+ {
1018
+ "id": "privacy_concerns",
1019
+ "children": [
1020
+ {
1021
+ "id": "unnecessary_data_collection",
1022
+ "children": [
1023
+ {
1024
+ "id": "wifi_ssid_password",
1025
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1026
+ }
1027
+ ]
1028
+ }
1029
+ ]
1030
+ },
1031
+ {
1032
+ "id": "network_security_misconfiguration",
1033
+ "children": [
1034
+ {
1035
+ "id": "telnet_enabled",
1036
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1037
+ }
1038
+ ]
1039
+ },
1040
+ {
1041
+ "id": "mobile_security_misconfiguration",
1042
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1043
+ "children": [
1044
+ {
1045
+ "id": "clipboard_enabled",
1046
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
1047
+ },
1048
+ {
1049
+ "id": "auto_backup_allowed_by_default",
1050
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
1051
+ }
1052
+ ]
1053
+ },
1054
+ {
1055
+ "id": "client_side_injection",
1056
+ "children": [
1057
+ {
1058
+ "id": "binary_planting",
1059
+ "children": [
1060
+ {
1061
+ "id": "privilege_escalation",
1062
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1063
+ },
1064
+ {
1065
+ "id": "non_default_folder_privilege_escalation",
1066
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
1067
+ },
1068
+ {
1069
+ "id": "no_privilege_escalation",
1070
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
1071
+ }
1072
+ ]
1073
+ }
1074
+ ]
1075
+ },
1076
+ {
1077
+ "id": "automotive_security_misconfiguration",
1078
+ "children": [
1079
+ {
1080
+ "id": "infotainment_radio_head_unit",
1081
+ "children": [
1082
+ {
1083
+ "id": "sensitive_data_leakage_exposure",
1084
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
1085
+ },
1086
+ {
1087
+ "id": "ota_firmware_manipulation",
1088
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1089
+ },
1090
+ {
1091
+ "id": "code_execution_can_bus_pivot",
1092
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
1093
+ },
1094
+ {
1095
+ "id": "code_execution_no_can_bus_pivot",
1096
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
1097
+ },
1098
+ {
1099
+ "id": "unauthorized_access_to_services",
1100
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
1101
+ },
1102
+ {
1103
+ "id": "source_code_dump",
1104
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
1105
+ },
1106
+ {
1107
+ "id": "dos_brick",
1108
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1109
+ },
1110
+ {
1111
+ "id": "default_credentials",
1112
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1113
+ }
1114
+ ]
1115
+ },
1116
+ {
1117
+ "id": "rf_hub",
1118
+ "children": [
1119
+ {
1120
+ "id": "key_fob_cloning",
1121
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
1122
+ },
1123
+ {
1124
+ "id": "can_injection_interaction",
1125
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1126
+ },
1127
+ {
1128
+ "id": "data_leakage_pull_encryption_mechanism",
1129
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
1130
+ },
1131
+ {
1132
+ "id": "unauthorized_access_turn_on",
1133
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
1134
+ },
1135
+ {
1136
+ "id": "roll_jam",
1137
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1138
+ },
1139
+ {
1140
+ "id": "replay",
1141
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1142
+ },
1143
+ {
1144
+ "id": "relay",
1145
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1146
+ }
1147
+ ]
1148
+ },
1149
+ {
1150
+ "id": "can",
1151
+ "children": [
1152
+ {
1153
+ "id": "injection_battery_management_system",
1154
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1155
+ },
1156
+ {
1157
+ "id": "injection_steering_control",
1158
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1159
+ },
1160
+ {
1161
+ "id": "injection_pyrotechnical_device_deployment_tool",
1162
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1163
+ },
1164
+ {
1165
+ "id": "injection_headlights",
1166
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1167
+ },
1168
+ {
1169
+ "id": "injection_sensors",
1170
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1171
+ },
1172
+ {
1173
+ "id": "injection_vehicle_anti_theft_systems",
1174
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1175
+ },
1176
+ {
1177
+ "id": "injection_powertrain",
1178
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1179
+ },
1180
+ {
1181
+ "id": "injection_basic_safety_message",
1182
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1183
+ },
1184
+ {
1185
+ "id": "injection_disallowed_messages",
1186
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1187
+ },
1188
+ {
1189
+ "id": "injection_dos",
1190
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1191
+ }
1192
+ ]
1193
+ },
1194
+ {
1195
+ "id": "battery_management_system",
1196
+ "children": [
1197
+ {
1198
+ "id": "firmware_dump",
1199
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
1200
+ },
1201
+ {
1202
+ "id": "fraudulent_interface",
1203
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
1204
+ }
1205
+ ]
1206
+ },
1207
+ {
1208
+ "id": "gnss_gps",
1209
+ "children": [
1210
+ {
1211
+ "id": "spoofing",
1212
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1213
+ }
1214
+ ]
1215
+ },
1216
+ {
1217
+ "id": "immobilizer",
1218
+ "children": [
1219
+ {
1220
+ "id": "engine_start",
1221
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1222
+ }
1223
+ ]
1224
+ },
1225
+ {
1226
+ "id": "abs",
1227
+ "children": [
1228
+ {
1229
+ "id": "unintended_acceleration_brake",
1230
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1231
+ }
1232
+ ]
1233
+ },
1234
+ {
1235
+ "id": "rsu",
1236
+ "children": [
1237
+ {
1238
+ "id": "sybil_attack",
1239
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1240
+ }
1241
+ ]
1242
+ }
1243
+ ]
1244
+ },
1245
+ {
1246
+ "id": "indicators_of_compromise",
1247
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1248
+ }
1249
+ ]
1250
+ }