vrt 0.12.6 → 0.13.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (29) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.14/deprecated-node-mapping.json +239 -0
  3. data/lib/data/1.14/mappings/cvss_v3/cvss_v3.json +1441 -0
  4. data/lib/data/1.14/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.14/mappings/cwe/cwe.json +818 -0
  6. data/lib/data/1.14/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.14/mappings/remediation_advice/remediation_advice.json +2080 -0
  8. data/lib/data/1.14/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.14/third-party-mappings/remediation_training/secure-code-warrior-links.json +438 -0
  10. data/lib/data/1.14/vrt.schema.json +63 -0
  11. data/lib/data/1.14/vulnerability-rating-taxonomy.json +2730 -0
  12. data/lib/data/1.14.1/deprecated-node-mapping.json +239 -0
  13. data/lib/data/1.14.1/mappings/cvss_v3/cvss_v3.json +1441 -0
  14. data/lib/data/1.14.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.14.1/mappings/cwe/cwe.json +818 -0
  16. data/lib/data/1.14.1/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.14.1/mappings/remediation_advice/remediation_advice.json +2080 -0
  18. data/lib/data/1.14.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.14.1/third-party-mappings/remediation_training/secure-code-warrior-links.json +438 -0
  20. data/lib/data/1.14.1/vrt.schema.json +63 -0
  21. data/lib/data/1.14.1/vulnerability-rating-taxonomy.json +2730 -0
  22. data/lib/vrt/cross_version_mapping.rb +2 -2
  23. data/lib/vrt/map.rb +2 -2
  24. data/lib/vrt/mapping.rb +9 -5
  25. data/lib/vrt/node.rb +2 -2
  26. data/lib/vrt/third_party_links.rb +1 -1
  27. data/lib/vrt/version.rb +1 -1
  28. data/lib/vrt.rb +1 -1
  29. metadata +36 -14
data/lib/data/1.14.1/mappings/cvss_v3/cvss_v3.json ADDED
@@ -0,0 +1,1441 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "children": [
9
+ {
10
+ "id": "server_side_request_forgery_ssrf",
11
+ "children": [
12
+ {
13
+ "id": "internal_high_impact",
14
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
15
+ },
16
+ {
17
+ "id": "internal_scan_and_or_medium_impact",
18
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
19
+ },
20
+ {
21
+ "id": "external_low_impact",
22
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
23
+ },
24
+ {
25
+ "id": "external_dns_query_only",
26
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
27
+ }
28
+ ]
29
+ },
30
+ {
31
+ "id": "unsafe_cross_origin_resource_sharing",
32
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
33
+ },
34
+ {
35
+ "id": "software_package_takeover",
36
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
37
+ },
38
+ {
39
+ "id": "email_verification_bypass",
40
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
41
+ },
42
+ {
43
+ "id": "missing_subresource_integrity",
44
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
45
+ },
46
+ {
47
+ "id": "request_smuggling",
48
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
49
+ },
50
+ {
51
+ "id": "path_traversal",
52
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
53
+ },
54
+ {
55
+ "id": "directory_listing_enabled",
56
+ "children": [
57
+ {
58
+ "id": "sensitive_data_exposure",
59
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
60
+ },
61
+ {
62
+ "id": "non_sensitive_data_exposure",
63
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
64
+ }
65
+ ]
66
+ },
67
+ {
68
+ "id": "same_site_scripting",
69
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
70
+ },
71
+ {
72
+ "id": "ssl_attack_breach_poodle_etc",
73
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
74
+ },
75
+ {
76
+ "id": "using_default_credentials",
77
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
78
+ },
79
+ {
80
+ "id": "misconfigured_dns",
81
+ "children": [
82
+ {
83
+ "id": "basic_subdomain_takeover",
84
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
85
+ },
86
+ {
87
+ "id": "high_impact_subdomain_takeover",
88
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
89
+ },
90
+ {
91
+ "id": "zone_transfer",
92
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
93
+ },
94
+ {
95
+ "id": "missing_caa_record",
96
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
97
+ }
98
+ ]
99
+ },
100
+ {
101
+ "id": "mail_server_misconfiguration",
102
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
103
+ "children": [
104
+ {
105
+ "id": "no_spoofing_protection_on_email_domain",
106
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
107
+ },
108
+ {
109
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
110
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
111
+ }
112
+ ]
113
+ },
114
+ {
115
+ "id": "dbms_misconfiguration",
116
+ "children": [
117
+ {
118
+ "id": "excessively_privileged_user_dba",
119
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
120
+ }
121
+ ]
122
+ },
123
+ {
124
+ "id": "lack_of_password_confirmation",
125
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
126
+ "children": [
127
+ {
128
+ "id": "manage_two_fa",
129
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
130
+ }
131
+ ]
132
+ },
133
+ {
134
+ "id": "no_rate_limiting_on_form",
135
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
136
+ "children": [
137
+ {
138
+ "id": "login",
139
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
140
+ },
141
+ {
142
+ "id": "change_password",
143
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
144
+ }
145
+ ]
146
+ },
147
+ {
148
+ "id": "unsafe_file_upload",
149
+ "children": [
150
+ {
151
+ "id": "no_antivirus",
152
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
153
+ },
154
+ {
155
+ "id": "no_size_limit",
156
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
157
+ },
158
+ {
159
+ "id": "file_extension_filter_bypass",
160
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
161
+ }
162
+ ]
163
+ },
164
+ {
165
+ "id": "cookie_scoped_to_parent_domain",
166
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
167
+ },
168
+ {
169
+ "id": "missing_secure_or_httponly_cookie_flag",
170
+ "children": [
171
+ {
172
+ "id": "session_token",
173
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
174
+ },
175
+ {
176
+ "id": "non_session_cookie",
177
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
178
+ }
179
+ ]
180
+ },
181
+ {
182
+ "id": "clickjacking",
183
+ "children": [
184
+ {
185
+ "id": "sensitive_action",
186
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
187
+ },
188
+ {
189
+ "id": "form_input",
190
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
191
+ },
192
+ {
193
+ "id": "non_sensitive_action",
194
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
195
+ }
196
+ ]
197
+ },
198
+ {
199
+ "id": "oauth_misconfiguration",
200
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
201
+ "children": [
202
+ {
203
+ "id": "account_takeover",
204
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
205
+ },
206
+ {
207
+ "id": "account_squatting",
208
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
209
+ }
210
+ ]
211
+ },
212
+ {
213
+ "id": "captcha",
214
+ "children": [
215
+ {
216
+ "id": "implementation_vulnerability",
217
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
218
+ },
219
+ {
220
+ "id": "brute_force",
221
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
222
+ },
223
+ {
224
+ "id": "missing",
225
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
226
+ }
227
+ ]
228
+ },
229
+ {
230
+ "id": "exposed_admin_portal",
231
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
232
+ },
233
+ {
234
+ "id": "missing_dnssec",
235
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
236
+ },
237
+ {
238
+ "id": "fingerprinting_banner_disclosure",
239
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
240
+ },
241
+ {
242
+ "id": "username_enumeration",
243
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
244
+ },
245
+ {
246
+ "id": "potentially_unsafe_http_method_enabled",
247
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
248
+ },
249
+ {
250
+ "id": "insecure_ssl",
251
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
252
+ },
253
+ {
254
+ "id": "rfd",
255
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
256
+ },
257
+ {
258
+ "id": "lack_of_security_headers",
259
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
260
+ "children": [
261
+ {
262
+ "id": "cache_control_for_a_sensitive_page",
263
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
264
+ }
265
+ ]
266
+ },
267
+ {
268
+ "id": "waf_bypass",
269
+ "children": [
270
+ {
271
+ "id": "direct_server_access",
272
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
273
+ }
274
+ ]
275
+ },
276
+ {
277
+ "id": "race_condition",
278
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
279
+ },
280
+ {
281
+ "id": "cache_poisoning",
282
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
283
+ },
284
+ {
285
+ "id": "bitsquatting",
286
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
287
+ }
288
+ ]
289
+ },
290
+ {
291
+ "id": "server_side_injection",
292
+ "children": [
293
+ {
294
+ "id": "file_inclusion",
295
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
296
+ },
297
+ {
298
+ "id": "parameter_pollution",
299
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
300
+ },
301
+ {
302
+ "id": "remote_code_execution_rce",
303
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
304
+ },
305
+ {
306
+ "id": "ldap_injection",
307
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
308
+ },
309
+ {
310
+ "id": "sql_injection",
311
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
312
+ },
313
+ {
314
+ "id": "xml_external_entity_injection_xxe",
315
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
316
+ },
317
+ {
318
+ "id": "http_response_manipulation",
319
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
320
+ },
321
+ {
322
+ "id": "content_spoofing",
323
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
324
+ "children": [
325
+ {
326
+ "id": "iframe_injection",
327
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
328
+ },
329
+ {
330
+ "id": "impersonation_via_broken_link_hijacking",
331
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
332
+ },
333
+ {
334
+ "id": "external_authentication_injection",
335
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
336
+ },
337
+ {
338
+ "id": "flash_based_external_authentication_injection",
339
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
340
+ },
341
+ {
342
+ "id": "html_content_injection",
343
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
344
+ },
345
+ {
346
+ "id": "email_html_injection",
347
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
348
+ }
349
+ ]
350
+ },
351
+ {
352
+ "id": "ssti",
353
+ "children": [
354
+ {
355
+ "id": "basic",
356
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
357
+ },
358
+ {
359
+ "id": "custom",
360
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
361
+ }
362
+ ]
363
+ }
364
+ ]
365
+ },
366
+ {
367
+ "id": "broken_authentication_and_session_management",
368
+ "children": [
369
+ {
370
+ "id": "authentication_bypass",
371
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
372
+ },
373
+ {
374
+ "id": "two_fa_bypass",
375
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
376
+ },
377
+ {
378
+ "id": "cleartext_transmission_of_session_token",
379
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
380
+ },
381
+ {
382
+ "id": "weak_login_function",
383
+ "children": [
384
+ {
385
+ "id": "not_operational",
386
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
387
+ },
388
+ {
389
+ "id": "other_plaintext_protocol_no_secure_alternative",
390
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
391
+ },
392
+ {
393
+ "id": "over_http",
394
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
395
+ }
396
+ ]
397
+ },
398
+ {
399
+ "id": "session_fixation",
400
+ "children": [
401
+ {
402
+ "id": "remote_attack_vector",
403
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
404
+ },
405
+ {
406
+ "id": "local_attack_vector",
407
+ "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
408
+ }
409
+ ]
410
+ },
411
+ {
412
+ "id": "failure_to_invalidate_session",
413
+ "children": [
414
+ {
415
+ "id": "on_logout",
416
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
417
+ },
418
+ {
419
+ "id": "permission_change",
420
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
421
+ },
422
+ {
423
+ "id": "on_logout_server_side_only",
424
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
425
+ },
426
+ {
427
+ "id": "on_password_change",
428
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
429
+ },
430
+ {
431
+ "id": "all_sessions",
432
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
433
+ },
434
+ {
435
+ "id": "on_email_change",
436
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
437
+ },
438
+ {
439
+ "id": "on_two_fa_activation_change",
440
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
441
+ },
442
+ {
443
+ "id": "long_timeout",
444
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
445
+ }
446
+ ]
447
+ },
448
+ {
449
+ "id": "concurrent_logins",
450
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
451
+ },
452
+ {
453
+ "id": "weak_registration_implementation",
454
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
455
+ }
456
+ ]
457
+ },
458
+ {
459
+ "id": "data_biases",
460
+ "children": [
461
+ {
462
+ "id": "representation_bias",
463
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
464
+ },
465
+ {
466
+ "id": "pre_existing_bias",
467
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
468
+ }
469
+ ]
470
+ },
471
+ {
472
+ "id": "algorithmic_biases",
473
+ "children": [
474
+ {
475
+ "id": "processing_bias",
476
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
477
+ },
478
+ {
479
+ "id": "aggregation_bias",
480
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
481
+ }
482
+ ]
483
+ },
484
+ {
485
+ "id": "societal_biases",
486
+ "children": [
487
+ {
488
+ "id": "confirmation_bias",
489
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
490
+ },
491
+ {
492
+ "id": "systemic_bias",
493
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
494
+ }
495
+ ]
496
+ },
497
+ {
498
+ "id": "misinterpretation_biases",
499
+ "children": [
500
+ {
501
+ "id": "context_ignorance",
502
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
503
+ }
504
+ ]
505
+ },
506
+ {
507
+ "id": "developer_biases",
508
+ "children": [
509
+ {
510
+ "id": "implicit_bias",
511
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
512
+ }
513
+ ]
514
+ },
515
+ {
516
+ "id": "sensitive_data_exposure",
517
+ "children": [
518
+ {
519
+ "id": "disclosure_of_secrets",
520
+ "children": [
521
+ {
522
+ "id": "for_publicly_accessible_asset",
523
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
524
+ },
525
+ {
526
+ "id": "pii_leakage_exposure",
527
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
528
+ },
529
+ {
530
+ "id": "for_internal_asset",
531
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
532
+ },
533
+ {
534
+ "id": "pay_per_use_abuse",
535
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
536
+ },
537
+ {
538
+ "id": "intentionally_public_sample_or_invalid",
539
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
540
+ },
541
+ {
542
+ "id": "data_traffic_spam",
543
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
544
+ },
545
+ {
546
+ "id": "non_corporate_user",
547
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
548
+ }
549
+ ]
550
+ },
551
+ {
552
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
553
+ "children": [
554
+ {
555
+ "id": "automatic_user_enumeration",
556
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
557
+ },
558
+ {
559
+ "id": "manual_user_enumeration",
560
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
561
+ }
562
+ ]
563
+ },
564
+ {
565
+ "id": "visible_detailed_error_page",
566
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
567
+ "children": [
568
+ {
569
+ "id": "detailed_server_configuration",
570
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
571
+ }
572
+ ]
573
+ },
574
+ {
575
+ "id": "disclosure_of_known_public_information",
576
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
577
+ },
578
+ {
579
+ "id": "token_leakage_via_referer",
580
+ "children": [
581
+ {
582
+ "id": "trusted_third_party",
583
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
584
+ },
585
+ {
586
+ "id": "untrusted_third_party",
587
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
588
+ },
589
+ {
590
+ "id": "over_http",
591
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
592
+ },
593
+ {
594
+ "id": "password_reset_token",
595
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
596
+ }
597
+ ]
598
+ },
599
+ {
600
+ "id": "sensitive_token_in_url",
601
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
602
+ },
603
+ {
604
+ "id": "non_sensitive_token_in_url",
605
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
606
+ },
607
+ {
608
+ "id": "weak_password_reset_implementation",
609
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
610
+ "children": [
611
+ {
612
+ "id": "token_leakage_via_host_header_poisoning",
613
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
614
+ }
615
+ ]
616
+ },
617
+ {
618
+ "id": "mixed_content",
619
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
620
+ },
621
+ {
622
+ "id": "sensitive_data_hardcoded",
623
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
624
+ },
625
+ {
626
+ "id": "internal_ip_disclosure",
627
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
628
+ },
629
+ {
630
+ "id": "xssi",
631
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
632
+ },
633
+ {
634
+ "id": "json_hijacking",
635
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
636
+ },
637
+ {
638
+ "id": "via_localstorage_sessionstorage",
639
+ "children": [
640
+ {
641
+ "id": "sensitive_token",
642
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
643
+ },
644
+ {
645
+ "id": "non_sensitive_token",
646
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
647
+ }
648
+ ]
649
+ }
650
+ ]
651
+ },
652
+ {
653
+ "id": "cross_site_scripting_xss",
654
+ "children": [
655
+ {
656
+ "id": "stored",
657
+ "children": [
658
+ {
659
+ "id": "non_admin_to_anyone",
660
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
661
+ },
662
+ {
663
+ "id": "privileged_user_to_privilege_elevation",
664
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
665
+ },
666
+ {
667
+ "id": "privileged_user_to_no_privilege_elevation",
668
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
669
+ },
670
+ {
671
+ "id": "url_based",
672
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
673
+ },
674
+ {
675
+ "id": "self",
676
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
677
+ }
678
+ ]
679
+ },
680
+ {
681
+ "id": "reflected",
682
+ "children": [
683
+ {
684
+ "id": "non_self",
685
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
686
+ },
687
+ {
688
+ "id": "self",
689
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
690
+ }
691
+ ]
692
+ },
693
+ {
694
+ "id": "flash_based",
695
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
696
+ },
697
+ {
698
+ "id": "cookie_based",
699
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
700
+ },
701
+ {
702
+ "id": "ie_only",
703
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
704
+ },
705
+ {
706
+ "id": "referer",
707
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
708
+ },
709
+ {
710
+ "id": "trace_method",
711
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
712
+ },
713
+ {
714
+ "id": "universal_uxss",
715
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
716
+ },
717
+ {
718
+ "id": "off_domain",
719
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
720
+ }
721
+ ]
722
+ },
723
+ {
724
+ "id": "broken_access_control",
725
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
726
+ "children": [
727
+ {
728
+ "id": "username_enumeration",
729
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
730
+ },
731
+ {
732
+ "id": "privilege_escalation",
733
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
734
+ }
735
+ ]
736
+ },
737
+ {
738
+ "id": "cross_site_request_forgery_csrf",
739
+ "children": [
740
+ {
741
+ "id": "application_wide",
742
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
743
+ },
744
+ {
745
+ "id": "action_specific",
746
+ "children": [
747
+ {
748
+ "id": "authenticated_action",
749
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
750
+ },
751
+ {
752
+ "id": "unauthenticated_action",
753
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
754
+ },
755
+ {
756
+ "id": "logout",
757
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
758
+ }
759
+ ]
760
+ },
761
+ {
762
+ "id": "csrf_token_not_unique_per_request",
763
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
764
+ },
765
+ {
766
+ "id": "flash_based",
767
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
768
+ }
769
+ ]
770
+ },
771
+ {
772
+ "id": "application_level_denial_of_service_dos",
773
+ "children": [
774
+ {
775
+ "id": "critical_impact_and_or_easy_difficulty",
776
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
777
+ },
778
+ {
779
+ "id": "high_impact_and_or_medium_difficulty",
780
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
781
+ },
782
+ {
783
+ "id": "app_crash",
784
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
785
+ },
786
+ {
787
+ "id": "excessive_resource_consumption",
788
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H"
789
+ }
790
+ ]
791
+ },
792
+ {
793
+ "id": "unvalidated_redirects_and_forwards",
794
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
795
+ "children": [
796
+ {
797
+ "id": "open_redirect",
798
+ "children": [
799
+ {
800
+ "id": "get_based",
801
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
802
+ }
803
+ ]
804
+ }
805
+ ]
806
+ },
807
+ {
808
+ "id": "external_behavior",
809
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
810
+ },
811
+ {
812
+ "id": "insufficient_security_configurability",
813
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
814
+ "children": [
815
+ {
816
+ "id": "no_password_policy",
817
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
818
+ },
819
+ {
820
+ "id": "weak_password_reset_implementation",
821
+ "children": [
822
+ {
823
+ "id": "token_is_not_invalidated_after_use",
824
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
825
+ }
826
+ ]
827
+ },
828
+ {
829
+ "id": "weak_two_fa_implementation",
830
+ "children": [
831
+ {
832
+ "id": "two_fa_secret_cannot_be_rotated",
833
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
834
+ },
835
+ {
836
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
837
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
838
+ }
839
+ ]
840
+ }
841
+ ]
842
+ },
843
+ {
844
+ "id": "using_components_with_known_vulnerabilities",
845
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
846
+ "children": [
847
+ {
848
+ "id": "rosetta_flash",
849
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
850
+ }
851
+ ]
852
+ },
853
+ {
854
+ "id": "insecure_data_storage",
855
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
856
+ "children": [
857
+ {
858
+ "id": "sensitive_application_data_stored_unencrypted",
859
+ "children": [
860
+ {
861
+ "id": "on_external_storage",
862
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
863
+ }
864
+ ]
865
+ },
866
+ {
867
+ "id": "server_side_credentials_storage",
868
+ "children": [
869
+ {
870
+ "id": "plaintext",
871
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
872
+ }
873
+ ]
874
+ }
875
+ ]
876
+ },
877
+ {
878
+ "id": "lack_of_binary_hardening",
879
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
880
+ },
881
+ {
882
+ "id": "insecure_data_transport",
883
+ "children": [
884
+ {
885
+ "id": "cleartext_transmission_of_sensitive_data",
886
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
887
+ },
888
+ {
889
+ "id": "executable_download",
890
+ "children": [
891
+ {
892
+ "id": "no_secure_integrity_check",
893
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
894
+ },
895
+ {
896
+ "id": "secure_integrity_check",
897
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
898
+ }
899
+ ]
900
+ }
901
+ ]
902
+ },
903
+ {
904
+ "id": "physical_security_issues",
905
+ "children": [
906
+ {
907
+ "id": "bypass_of_physical_access_control",
908
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
909
+ },
910
+ {
911
+ "id": "weakness_in_physical_access_control",
912
+ "children": [
913
+ {
914
+ "id": "cloneable_key",
915
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
916
+ },
917
+ {
918
+ "id": "master_key_identification",
919
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
920
+ },
921
+ {
922
+ "id": "commonly_keyed_system",
923
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
924
+ }
925
+ ]
926
+ }
927
+ ]
928
+ },
929
+ {
930
+ "id": "insecure_os_firmware",
931
+ "children": [
932
+ {
933
+ "id": "command_injection",
934
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
935
+ },
936
+ {
937
+ "id": "hardcoded_password",
938
+ "children": [
939
+ {
940
+ "id": "privileged_user",
941
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
942
+ },
943
+ {
944
+ "id": "non_privileged_user",
945
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
946
+ }
947
+ ]
948
+ },
949
+ {
950
+ "id": "weakness_in_firmware_updates",
951
+ "children": [
952
+ {
953
+ "id": "firmware_cannot_be_updated",
954
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
955
+ },
956
+ {
957
+ "id": "firmware_does_not_validate_update_integrity",
958
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H"
959
+ },
960
+ {
961
+ "id": "firmware_is_not_encrypted",
962
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
963
+ }
964
+ ]
965
+ },
966
+ {
967
+ "id": "kiosk_escape_or_breakout",
968
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"
969
+ },
970
+ {
971
+ "id": "poorly_configured_disk_encryption",
972
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
973
+ },
974
+ {
975
+ "id": "shared_credentials_on_storage",
976
+ "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
977
+ },
978
+ {
979
+ "id": "over_permissioned_credentials_on_storage",
980
+ "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
981
+ },
982
+ {
983
+ "id": "local_administrator_on_default_environment",
984
+ "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
985
+ },
986
+ {
987
+ "id": "poorly_configured_operating_system_security",
988
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
989
+ },
990
+ {
991
+ "id": "recovery_of_disk_contains_sensitive_material",
992
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
993
+ },
994
+ {
995
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
996
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
997
+ },
998
+ {
999
+ "id": "data_not_encrypted_at_rest",
1000
+ "children": [
1001
+ {
1002
+ "id": "non_sensitive",
1003
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1004
+ },
1005
+ {
1006
+ "id": "sensitive",
1007
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
1008
+ }
1009
+ ]
1010
+ }
1011
+ ]
1012
+ },
1013
+ {
1014
+ "id": "cryptographic_weakness",
1015
+ "children": [
1016
+ {
1017
+ "id": "insufficient_entropy",
1018
+ "children": [
1019
+ {
1020
+ "id": "limited_rng_entropy_source",
1021
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
1022
+ },
1023
+ {
1024
+ "id": "use_of_trng_for_nonsecurity_purpose",
1025
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
1026
+ },
1027
+ {
1028
+ "id": "prng_seed_reuse",
1029
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
1030
+ },
1031
+ {
1032
+ "id": "predictable_prng_seed",
1033
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
1034
+ },
1035
+ {
1036
+ "id": "small_seed_space_in_prng",
1037
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
1038
+ },
1039
+ {
1040
+ "id": "initialization_vector_reuse",
1041
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
1042
+ },
1043
+ {
1044
+ "id": "predictable_initialization_vector",
1045
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
1046
+ }
1047
+ ]
1048
+ },
1049
+ {
1050
+ "id": "insecure_implementation",
1051
+ "children": [
1052
+ {
1053
+ "id": "missing_cryptographic_step",
1054
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
1055
+ },
1056
+ {
1057
+ "id": "improper_following_of_specification",
1058
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
1059
+ }
1060
+ ]
1061
+ },
1062
+ {
1063
+ "id": "weak_hash",
1064
+ "children": [
1065
+ {
1066
+ "id": "lack_of_salt",
1067
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
1068
+ },
1069
+ {
1070
+ "id": "use_of_predictable_salt",
1071
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
1072
+ },
1073
+ {
1074
+ "id": "predictable_hash_collision",
1075
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
1076
+ }
1077
+ ]
1078
+ },
1079
+ {
1080
+ "id": "insufficient_verification_of_data_authenticity",
1081
+ "children": [
1082
+ {
1083
+ "id": "identity_check_value",
1084
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
1085
+ },
1086
+ {
1087
+ "id": "cryptographic_signature",
1088
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
1089
+ }
1090
+ ]
1091
+ },
1092
+ {
1093
+ "id": "insecure_key_generation",
1094
+ "children": [
1095
+ {
1096
+ "id": "improper_asymmetric_prime_selection",
1097
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
1098
+ },
1099
+ {
1100
+ "id": "improper_asymmetric_exponent_selection",
1101
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
1102
+ },
1103
+ {
1104
+ "id": "insufficient_key_stretching",
1105
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
1106
+ },
1107
+ {
1108
+ "id": "insufficient_key_space",
1109
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
1110
+ },
1111
+ {
1112
+ "id": "key_exchange_without_entity_authentication",
1113
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
1114
+ }
1115
+ ]
1116
+ },
1117
+ {
1118
+ "id": "key_reuse",
1119
+ "children": [
1120
+ {
1121
+ "id": "lack_of_perfect_forward_secrecy",
1122
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
1123
+ },
1124
+ {
1125
+ "id": "intra_environment",
1126
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
1127
+ },
1128
+ {
1129
+ "id": "inter_environment",
1130
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
1131
+ }
1132
+ ]
1133
+ },
1134
+ {
1135
+ "id": "broken_cryptography",
1136
+ "children": [
1137
+ {
1138
+ "id": "use_of_broken_cryptographic_primitive",
1139
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
1140
+ },
1141
+ {
1142
+ "id": "use_of_vulnerable_cryptographic_library",
1143
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
1144
+ }
1145
+ ]
1146
+ },
1147
+ {
1148
+ "id": "side_channel_attack",
1149
+ "children": [
1150
+ {
1151
+ "id": "padding_oracle_attack",
1152
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1153
+ },
1154
+ {
1155
+ "id": "timing_attack",
1156
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1157
+ },
1158
+ {
1159
+ "id": "power_analysis_attack",
1160
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1161
+ },
1162
+ {
1163
+ "id": "emanations_attack",
1164
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1165
+ },
1166
+ {
1167
+ "id": "differential_fault_analysis",
1168
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1169
+ }
1170
+ ]
1171
+ },
1172
+ {
1173
+ "id": "use_of_expired_cryptographic_key_or_cert",
1174
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
1175
+ },
1176
+ {
1177
+ "id": "incomplete_cleanup_of_keying_material",
1178
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"
1179
+ }
1180
+ ]
1181
+ },
1182
+ {
1183
+ "id": "privacy_concerns",
1184
+ "children": [
1185
+ {
1186
+ "id": "unnecessary_data_collection",
1187
+ "children": [
1188
+ {
1189
+ "id": "wifi_ssid_password",
1190
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1191
+ }
1192
+ ]
1193
+ }
1194
+ ]
1195
+ },
1196
+ {
1197
+ "id": "network_security_misconfiguration",
1198
+ "children": [
1199
+ {
1200
+ "id": "telnet_enabled",
1201
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1202
+ }
1203
+ ]
1204
+ },
1205
+ {
1206
+ "id": "mobile_security_misconfiguration",
1207
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1208
+ "children": [
1209
+ {
1210
+ "id": "clipboard_enabled",
1211
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
1212
+ },
1213
+ {
1214
+ "id": "auto_backup_allowed_by_default",
1215
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
1216
+ }
1217
+ ]
1218
+ },
1219
+ {
1220
+ "id": "client_side_injection",
1221
+ "children": [
1222
+ {
1223
+ "id": "binary_planting",
1224
+ "children": [
1225
+ {
1226
+ "id": "privilege_escalation",
1227
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
1228
+ },
1229
+ {
1230
+ "id": "non_default_folder_privilege_escalation",
1231
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
1232
+ },
1233
+ {
1234
+ "id": "no_privilege_escalation",
1235
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
1236
+ }
1237
+ ]
1238
+ }
1239
+ ]
1240
+ },
1241
+ {
1242
+ "id": "automotive_security_misconfiguration",
1243
+ "children": [
1244
+ {
1245
+ "id": "infotainment_radio_head_unit",
1246
+ "children": [
1247
+ {
1248
+ "id": "sensitive_data_leakage_exposure",
1249
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
1250
+ },
1251
+ {
1252
+ "id": "ota_firmware_manipulation",
1253
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1254
+ },
1255
+ {
1256
+ "id": "code_execution_can_bus_pivot",
1257
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
1258
+ },
1259
+ {
1260
+ "id": "code_execution_no_can_bus_pivot",
1261
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
1262
+ },
1263
+ {
1264
+ "id": "unauthorized_access_to_services",
1265
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
1266
+ },
1267
+ {
1268
+ "id": "source_code_dump",
1269
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
1270
+ },
1271
+ {
1272
+ "id": "dos_brick",
1273
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1274
+ },
1275
+ {
1276
+ "id": "default_credentials",
1277
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1278
+ }
1279
+ ]
1280
+ },
1281
+ {
1282
+ "id": "rf_hub",
1283
+ "children": [
1284
+ {
1285
+ "id": "key_fob_cloning",
1286
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
1287
+ },
1288
+ {
1289
+ "id": "can_injection_interaction",
1290
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1291
+ },
1292
+ {
1293
+ "id": "data_leakage_pull_encryption_mechanism",
1294
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
1295
+ },
1296
+ {
1297
+ "id": "unauthorized_access_turn_on",
1298
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
1299
+ },
1300
+ {
1301
+ "id": "roll_jam",
1302
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1303
+ },
1304
+ {
1305
+ "id": "replay",
1306
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1307
+ },
1308
+ {
1309
+ "id": "relay",
1310
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1311
+ }
1312
+ ]
1313
+ },
1314
+ {
1315
+ "id": "can",
1316
+ "children": [
1317
+ {
1318
+ "id": "injection_battery_management_system",
1319
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1320
+ },
1321
+ {
1322
+ "id": "injection_steering_control",
1323
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1324
+ },
1325
+ {
1326
+ "id": "injection_pyrotechnical_device_deployment_tool",
1327
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1328
+ },
1329
+ {
1330
+ "id": "injection_headlights",
1331
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1332
+ },
1333
+ {
1334
+ "id": "injection_sensors",
1335
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1336
+ },
1337
+ {
1338
+ "id": "injection_vehicle_anti_theft_systems",
1339
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1340
+ },
1341
+ {
1342
+ "id": "injection_powertrain",
1343
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1344
+ },
1345
+ {
1346
+ "id": "injection_basic_safety_message",
1347
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1348
+ },
1349
+ {
1350
+ "id": "injection_disallowed_messages",
1351
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1352
+ },
1353
+ {
1354
+ "id": "injection_dos",
1355
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1356
+ }
1357
+ ]
1358
+ },
1359
+ {
1360
+ "id": "battery_management_system",
1361
+ "children": [
1362
+ {
1363
+ "id": "firmware_dump",
1364
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
1365
+ },
1366
+ {
1367
+ "id": "fraudulent_interface",
1368
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
1369
+ }
1370
+ ]
1371
+ },
1372
+ {
1373
+ "id": "gnss_gps",
1374
+ "children": [
1375
+ {
1376
+ "id": "spoofing",
1377
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1378
+ }
1379
+ ]
1380
+ },
1381
+ {
1382
+ "id": "immobilizer",
1383
+ "children": [
1384
+ {
1385
+ "id": "engine_start",
1386
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1387
+ }
1388
+ ]
1389
+ },
1390
+ {
1391
+ "id": "abs",
1392
+ "children": [
1393
+ {
1394
+ "id": "unintended_acceleration_brake",
1395
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1396
+ }
1397
+ ]
1398
+ },
1399
+ {
1400
+ "id": "rsu",
1401
+ "children": [
1402
+ {
1403
+ "id": "sybil_attack",
1404
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1405
+ }
1406
+ ]
1407
+ }
1408
+ ]
1409
+ },
1410
+ {
1411
+ "id": "indicators_of_compromise",
1412
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1413
+ },
1414
+ {
1415
+ "id": "ai_application_security",
1416
+ "children": [
1417
+ {
1418
+ "id": "llm_security",
1419
+ "children": [
1420
+ {
1421
+ "id": "prompt_injection",
1422
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L"
1423
+ },
1424
+ {
1425
+ "id": "llm_output_handling",
1426
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L"
1427
+ },
1428
+ {
1429
+ "id": "training_data_poisoning",
1430
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
1431
+ },
1432
+ {
1433
+ "id": "excessive_agency_permission_manipulation",
1434
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
1435
+ }
1436
+ ]
1437
+ }
1438
+ ]
1439
+ }
1440
+ ]
1441
+ }