vrt 0.13.4 → 0.13.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (23) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.16/deprecated-node-mapping.json +332 -0
  3. data/lib/data/1.16/mappings/cvss_v3/cvss_v3.json +1335 -0
  4. data/lib/data/1.16/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.16/mappings/cwe/cwe.json +1167 -0
  6. data/lib/data/1.16/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.16/mappings/remediation_advice/remediation_advice.json +2101 -0
  8. data/lib/data/1.16/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.16/third-party-mappings/remediation_training/secure-code-warrior-links.json +520 -0
  10. data/lib/data/1.16/vrt.schema.json +63 -0
  11. data/lib/data/1.16/vulnerability-rating-taxonomy.json +3244 -0
  12. data/lib/data/1.17/deprecated-node-mapping.json +335 -0
  13. data/lib/data/1.17/mappings/cvss_v3/cvss_v3.json +1418 -0
  14. data/lib/data/1.17/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.17/mappings/cwe/cwe.json +1167 -0
  16. data/lib/data/1.17/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.17/mappings/remediation_advice/remediation_advice.json +2107 -0
  18. data/lib/data/1.17/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.17/third-party-mappings/remediation_training/secure-code-warrior-links.json +540 -0
  20. data/lib/data/1.17/vrt.schema.json +63 -0
  21. data/lib/data/1.17/vulnerability-rating-taxonomy.json +3371 -0
  22. data/lib/vrt/version.rb +1 -1
  23. metadata +23 -3
data/lib/data/1.17/mappings/cvss_v3/cvss_v3.json ADDED
@@ -0,0 +1,1418 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "ai_application_security",
8
+ "children": [
9
+ {
10
+ "id": "adversarial_example_injection",
11
+ "children": [
12
+ {
13
+ "id": "ai_misclassification_attacks",
14
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L"
15
+ }
16
+ ]
17
+ },
18
+ {
19
+ "id": "ai_safety",
20
+ "children": [
21
+ {
22
+ "id": "misinformation_wrong_factual_data",
23
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"
24
+ }
25
+ ]
26
+ },
27
+ {
28
+ "id": "denial_of_service_dos",
29
+ "children": [
30
+ {
31
+ "id": "application_wide",
32
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
33
+ },
34
+ {
35
+ "id": "tenant_scoped",
36
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"
37
+ }
38
+ ]
39
+ },
40
+ {
41
+ "id": "improper_input_handling",
42
+ "children": [
43
+ {
44
+ "id": "ansi_escape_codes",
45
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
46
+ },
47
+ {
48
+ "id": "rtl_overrides",
49
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
50
+ },
51
+ {
52
+ "id": "unicode_confusables",
53
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
54
+ }
55
+ ]
56
+ },
57
+ {
58
+ "id": "improper_output_handling",
59
+ "children": [
60
+ {
61
+ "id": "cross_site_scripting_xss",
62
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
63
+ },
64
+ {
65
+ "id": "markdown_html_injection",
66
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
67
+ }
68
+ ]
69
+ },
70
+ {
71
+ "id": "insufficient_rate_limiting",
72
+ "children": [
73
+ {
74
+ "id": "query_flooding_api_token_abuse",
75
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
76
+ }
77
+ ]
78
+ },
79
+ {
80
+ "id": "model_extraction",
81
+ "children": [
82
+ {
83
+ "id": "api_query_based_model_reconstruction",
84
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
85
+ }
86
+ ]
87
+ },
88
+ {
89
+ "id": "prompt_injection",
90
+ "children": [
91
+ {
92
+ "id": "system_prompt_leakage",
93
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
94
+ }
95
+ ]
96
+ },
97
+ {
98
+ "id": "remote_code_execution",
99
+ "children": [
100
+ {
101
+ "id": "full_system_compromise",
102
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
103
+ },
104
+ {
105
+ "id": "sandboxed_container_code_execution",
106
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H"
107
+ }
108
+ ]
109
+ },
110
+ {
111
+ "id": "sensitive_information_disclosure",
112
+ "children": [
113
+ {
114
+ "id": "cross_tenant_pii_leakage_exposure",
115
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
116
+ },
117
+ {
118
+ "id": "key_leak",
119
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
120
+ }
121
+ ]
122
+ },
123
+ {
124
+ "id": "training_data_poisoning",
125
+ "children": [
126
+ {
127
+ "id": "backdoor_injection_bias_manipulation",
128
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
129
+ }
130
+ ]
131
+ },
132
+ {
133
+ "id": "vector_and_embedding_weaknesses",
134
+ "children": [
135
+ {
136
+ "id": "embedding_exfiltration_model_extraction",
137
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
138
+ },
139
+ {
140
+ "id": "semantic_indexing",
141
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
142
+ }
143
+ ]
144
+ }
145
+ ]
146
+ },
147
+ {
148
+ "id": "algorithmic_biases",
149
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
150
+ },
151
+ {
152
+ "id": "application_level_denial_of_service_dos",
153
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
154
+ "children": [
155
+ {
156
+ "id": "critical_impact_and_or_easy_difficulty",
157
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
158
+ },
159
+ {
160
+ "id": "excessive_resource_consumption",
161
+ "children": [
162
+ {
163
+ "id": "injection_prompt",
164
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
165
+ }
166
+ ],
167
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H"
168
+ },
169
+ {
170
+ "id": "high_impact_and_or_medium_difficulty",
171
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
172
+ }
173
+ ]
174
+ },
175
+ {
176
+ "id": "automotive_security_misconfiguration",
177
+ "children": [
178
+ {
179
+ "id": "abs",
180
+ "children": [
181
+ {
182
+ "id": "unintended_acceleration_brake",
183
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
184
+ }
185
+ ]
186
+ },
187
+ {
188
+ "id": "battery_management_system",
189
+ "children": [
190
+ {
191
+ "id": "firmware_dump",
192
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
193
+ },
194
+ {
195
+ "id": "fraudulent_interface",
196
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
197
+ }
198
+ ]
199
+ },
200
+ {
201
+ "id": "can",
202
+ "children": [
203
+ {
204
+ "id": "injection_basic_safety_message",
205
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
206
+ },
207
+ {
208
+ "id": "injection_battery_management_system",
209
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
210
+ },
211
+ {
212
+ "id": "injection_disallowed_messages",
213
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
214
+ },
215
+ {
216
+ "id": "injection_dos",
217
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
218
+ },
219
+ {
220
+ "id": "injection_headlights",
221
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
222
+ },
223
+ {
224
+ "id": "injection_powertrain",
225
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
226
+ },
227
+ {
228
+ "id": "injection_pyrotechnical_device_deployment_tool",
229
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
230
+ },
231
+ {
232
+ "id": "injection_sensors",
233
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
234
+ },
235
+ {
236
+ "id": "injection_steering_control",
237
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
238
+ },
239
+ {
240
+ "id": "injection_vehicle_anti_theft_systems",
241
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
242
+ }
243
+ ]
244
+ },
245
+ {
246
+ "id": "gnss_gps",
247
+ "children": [
248
+ {
249
+ "id": "spoofing",
250
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
251
+ }
252
+ ]
253
+ },
254
+ {
255
+ "id": "immobilizer",
256
+ "children": [
257
+ {
258
+ "id": "engine_start",
259
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
260
+ }
261
+ ]
262
+ },
263
+ {
264
+ "id": "infotainment_radio_head_unit",
265
+ "children": [
266
+ {
267
+ "id": "code_execution_can_bus_pivot",
268
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
269
+ },
270
+ {
271
+ "id": "code_execution_no_can_bus_pivot",
272
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
273
+ },
274
+ {
275
+ "id": "default_credentials",
276
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
277
+ },
278
+ {
279
+ "id": "dos_brick",
280
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
281
+ },
282
+ {
283
+ "id": "ota_firmware_manipulation",
284
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
285
+ },
286
+ {
287
+ "id": "sensitive_data_leakage_exposure",
288
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
289
+ },
290
+ {
291
+ "id": "source_code_dump",
292
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
293
+ },
294
+ {
295
+ "id": "unauthorized_access_to_services",
296
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
297
+ }
298
+ ]
299
+ },
300
+ {
301
+ "id": "rf_hub",
302
+ "children": [
303
+ {
304
+ "id": "can_injection_interaction",
305
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
306
+ },
307
+ {
308
+ "id": "data_leakage_pull_encryption_mechanism",
309
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
310
+ },
311
+ {
312
+ "id": "key_fob_cloning",
313
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
314
+ },
315
+ {
316
+ "id": "relay",
317
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
318
+ },
319
+ {
320
+ "id": "replay",
321
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
322
+ },
323
+ {
324
+ "id": "roll_jam",
325
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
326
+ },
327
+ {
328
+ "id": "unauthorized_access_turn_on",
329
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
330
+ }
331
+ ]
332
+ },
333
+ {
334
+ "id": "rsu",
335
+ "children": [
336
+ {
337
+ "id": "sybil_attack",
338
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
339
+ }
340
+ ]
341
+ }
342
+ ]
343
+ },
344
+ {
345
+ "id": "blockchain_infrastructure_misconfiguration",
346
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
347
+ },
348
+ {
349
+ "id": "broken_access_control",
350
+ "children": [
351
+ {
352
+ "id": "bypass_of_password_confirmation",
353
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
354
+ },
355
+ {
356
+ "id": "exposed_sensitive_android_intent",
357
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
358
+ },
359
+ {
360
+ "id": "exposed_sensitive_ios_url_scheme",
361
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
362
+ },
363
+ {
364
+ "id": "privilege_escalation",
365
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
366
+ },
367
+ {
368
+ "id": "username_enumeration",
369
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
370
+ }
371
+ ],
372
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
373
+ },
374
+ {
375
+ "id": "broken_authentication_and_session_management",
376
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
377
+ "children": [
378
+ {
379
+ "id": "authentication_bypass",
380
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
381
+ },
382
+ {
383
+ "id": "cleartext_transmission_of_session_token",
384
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
385
+ },
386
+ {
387
+ "id": "concurrent_logins",
388
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
389
+ },
390
+ {
391
+ "id": "failure_to_invalidate_session",
392
+ "children": [
393
+ {
394
+ "id": "all_sessions",
395
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
396
+ },
397
+ {
398
+ "id": "long_timeout",
399
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
400
+ },
401
+ {
402
+ "id": "on_email_change",
403
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
404
+ },
405
+ {
406
+ "id": "on_logout",
407
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
408
+ },
409
+ {
410
+ "id": "on_logout_server_side_only",
411
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
412
+ },
413
+ {
414
+ "id": "on_password_change",
415
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
416
+ },
417
+ {
418
+ "id": "on_two_fa_activation_change",
419
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
420
+ }
421
+ ]
422
+ },
423
+ {
424
+ "id": "saml_replay",
425
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
426
+ },
427
+ {
428
+ "id": "session_fixation",
429
+ "children": [
430
+ {
431
+ "id": "local_attack_vector",
432
+ "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
433
+ },
434
+ {
435
+ "id": "remote_attack_vector",
436
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
437
+ }
438
+ ]
439
+ },
440
+ {
441
+ "id": "two_fa_bypass",
442
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
443
+ },
444
+ {
445
+ "id": "weak_login_function",
446
+ "children": [
447
+ {
448
+ "id": "other_plaintext_protocol_no_secure_alternative",
449
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
450
+ },
451
+ {
452
+ "id": "over_http",
453
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
454
+ }
455
+ ]
456
+ },
457
+ {
458
+ "id": "weak_registration_implementation",
459
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
460
+ }
461
+ ]
462
+ },
463
+ {
464
+ "id": "client_side_injection",
465
+ "children": [
466
+ {
467
+ "id": "binary_planting",
468
+ "children": [
469
+ {
470
+ "id": "no_privilege_escalation",
471
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
472
+ },
473
+ {
474
+ "id": "non_default_folder_privilege_escalation",
475
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
476
+ },
477
+ {
478
+ "id": "privilege_escalation",
479
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
480
+ }
481
+ ]
482
+ }
483
+ ]
484
+ },
485
+ {
486
+ "id": "cloud_security",
487
+ "children": [
488
+ {
489
+ "id": "identity_and_access_management_iam_misconfigurations",
490
+ "children": [
491
+ {
492
+ "id": "overly_permissive_iam_roles",
493
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
494
+ },
495
+ {
496
+ "id": "publicly_accessible_iam_credentials",
497
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
498
+ }
499
+ ]
500
+ },
501
+ {
502
+ "id": "logging_and_monitoring_issues",
503
+ "children": [
504
+ {
505
+ "id": "disabled_or_insufficient_logging",
506
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
507
+ }
508
+ ]
509
+ },
510
+ {
511
+ "id": "misconfigured_services_and_apis",
512
+ "children": [
513
+ {
514
+ "id": "exposed_debug_or_admin_interfaces",
515
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
516
+ },
517
+ {
518
+ "id": "insecure_api_endpoints",
519
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
520
+ }
521
+ ]
522
+ },
523
+ {
524
+ "id": "network_configuration_issues",
525
+ "children": [
526
+ {
527
+ "id": "lack_of_network_segmentation",
528
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L"
529
+ },
530
+ {
531
+ "id": "open_management_ports_to_the_internet",
532
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
533
+ }
534
+ ]
535
+ },
536
+ {
537
+ "id": "storage_misconfigurations",
538
+ "children": [
539
+ {
540
+ "id": "publicly_accessible_cloud_storage",
541
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
542
+ },
543
+ {
544
+ "id": "unencrypted_sensitive_data_at_rest",
545
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
546
+ }
547
+ ]
548
+ }
549
+ ]
550
+ },
551
+ {
552
+ "id": "cross_site_request_forgery_csrf",
553
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
554
+ "children": [
555
+ {
556
+ "id": "action_specific",
557
+ "children": [
558
+ {
559
+ "id": "logout",
560
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
561
+ }
562
+ ]
563
+ },
564
+ {
565
+ "id": "application_wide",
566
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
567
+ },
568
+ {
569
+ "id": "csrf_token_not_unique_per_request",
570
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
571
+ },
572
+ {
573
+ "id": "flash_based",
574
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
575
+ }
576
+ ]
577
+ },
578
+ {
579
+ "id": "cross_site_scripting_xss",
580
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
581
+ "children": [
582
+ {
583
+ "id": "cookie_based",
584
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
585
+ },
586
+ {
587
+ "id": "flash_based",
588
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
589
+ },
590
+ {
591
+ "id": "ie_only",
592
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
593
+ },
594
+ {
595
+ "id": "off_domain",
596
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
597
+ },
598
+ {
599
+ "id": "referer",
600
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
601
+ },
602
+ {
603
+ "id": "reflected",
604
+ "children": [
605
+ {
606
+ "id": "non_self",
607
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
608
+ }
609
+ ]
610
+ },
611
+ {
612
+ "id": "stored",
613
+ "children": [
614
+ {
615
+ "id": "non_admin_to_anyone",
616
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
617
+ },
618
+ {
619
+ "id": "privileged_user_to_no_privilege_elevation",
620
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
621
+ },
622
+ {
623
+ "id": "privileged_user_to_privilege_elevation",
624
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
625
+ },
626
+ {
627
+ "id": "url_based",
628
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
629
+ }
630
+ ]
631
+ },
632
+ {
633
+ "id": "universal_uxss",
634
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
635
+ }
636
+ ]
637
+ },
638
+ {
639
+ "id": "cryptographic_weakness",
640
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
641
+ "children": [
642
+ {
643
+ "id": "broken_cryptography",
644
+ "children": [
645
+ {
646
+ "id": "use_of_broken_cryptographic_primitive",
647
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
648
+ },
649
+ {
650
+ "id": "use_of_vulnerable_cryptographic_library",
651
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
652
+ }
653
+ ]
654
+ },
655
+ {
656
+ "id": "incomplete_cleanup_of_keying_material",
657
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"
658
+ },
659
+ {
660
+ "id": "insecure_key_generation",
661
+ "children": [
662
+ {
663
+ "id": "insufficient_key_space",
664
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
665
+ },
666
+ {
667
+ "id": "key_exchange_without_entity_authentication",
668
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
669
+ }
670
+ ]
671
+ },
672
+ {
673
+ "id": "insufficient_entropy",
674
+ "children": [
675
+ {
676
+ "id": "initialization_vector_reuse",
677
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
678
+ },
679
+ {
680
+ "id": "limited_rng_entropy_source",
681
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
682
+ },
683
+ {
684
+ "id": "predictable_initialization_vector",
685
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
686
+ },
687
+ {
688
+ "id": "predictable_prng_seed",
689
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
690
+ },
691
+ {
692
+ "id": "prng_seed_reuse",
693
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
694
+ },
695
+ {
696
+ "id": "small_seed_space_in_prng",
697
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
698
+ },
699
+ {
700
+ "id": "use_of_trng_for_nonsecurity_purpose",
701
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
702
+ }
703
+ ]
704
+ },
705
+ {
706
+ "id": "insufficient_verification_of_data_authenticity",
707
+ "children": [
708
+ {
709
+ "id": "identity_check_value",
710
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
711
+ }
712
+ ]
713
+ },
714
+ {
715
+ "id": "key_reuse",
716
+ "children": [
717
+ {
718
+ "id": "inter_environment",
719
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
720
+ },
721
+ {
722
+ "id": "intra_environment",
723
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
724
+ },
725
+ {
726
+ "id": "lack_of_perfect_forward_secrecy",
727
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
728
+ }
729
+ ]
730
+ },
731
+ {
732
+ "id": "side_channel_attack",
733
+ "children": [
734
+ {
735
+ "id": "emanations_attack",
736
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
737
+ },
738
+ {
739
+ "id": "padding_oracle_attack",
740
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
741
+ },
742
+ {
743
+ "id": "power_analysis_attack",
744
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
745
+ },
746
+ {
747
+ "id": "timing_attack",
748
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
749
+ }
750
+ ]
751
+ },
752
+ {
753
+ "id": "use_of_expired_cryptographic_key_or_cert",
754
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
755
+ },
756
+ {
757
+ "id": "weak_hash",
758
+ "children": [
759
+ {
760
+ "id": "use_of_predictable_salt",
761
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
762
+ }
763
+ ]
764
+ }
765
+ ]
766
+ },
767
+ {
768
+ "id": "data_biases",
769
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
770
+ },
771
+ {
772
+ "id": "decentralized_application_misconfiguration",
773
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
774
+ },
775
+ {
776
+ "id": "developer_biases",
777
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
778
+ },
779
+ {
780
+ "id": "external_behavior",
781
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
782
+ },
783
+ {
784
+ "id": "indicators_of_compromise",
785
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
786
+ },
787
+ {
788
+ "id": "insecure_data_storage",
789
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
790
+ "children": [
791
+ {
792
+ "id": "sensitive_application_data_stored_unencrypted",
793
+ "children": [
794
+ {
795
+ "id": "on_external_storage",
796
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
797
+ }
798
+ ]
799
+ },
800
+ {
801
+ "id": "server_side_credentials_storage",
802
+ "children": [
803
+ {
804
+ "id": "plaintext",
805
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
806
+ }
807
+ ]
808
+ }
809
+ ]
810
+ },
811
+ {
812
+ "id": "insecure_data_transport",
813
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
814
+ "children": [
815
+ {
816
+ "id": "executable_download",
817
+ "children": [
818
+ {
819
+ "id": "no_secure_integrity_check",
820
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
821
+ },
822
+ {
823
+ "id": "secure_integrity_check",
824
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
825
+ }
826
+ ]
827
+ }
828
+ ]
829
+ },
830
+ {
831
+ "id": "insecure_os_firmware",
832
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
833
+ "children": [
834
+ {
835
+ "id": "command_injection",
836
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
837
+ },
838
+ {
839
+ "id": "data_not_encrypted_at_rest",
840
+ "children": [
841
+ {
842
+ "id": "non_sensitive",
843
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
844
+ }
845
+ ]
846
+ },
847
+ {
848
+ "id": "hardcoded_password",
849
+ "children": [
850
+ {
851
+ "id": "non_privileged_user",
852
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
853
+ },
854
+ {
855
+ "id": "privileged_user",
856
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
857
+ }
858
+ ]
859
+ },
860
+ {
861
+ "id": "local_administrator_on_default_environment",
862
+ "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
863
+ },
864
+ {
865
+ "id": "over_permissioned_credentials_on_storage",
866
+ "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
867
+ },
868
+ {
869
+ "id": "shared_credentials_on_storage",
870
+ "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
871
+ },
872
+ {
873
+ "id": "weakness_in_firmware_updates",
874
+ "children": [
875
+ {
876
+ "id": "firmware_does_not_validate_update_integrity",
877
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H"
878
+ },
879
+ {
880
+ "id": "firmware_is_not_encrypted",
881
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
882
+ }
883
+ ]
884
+ }
885
+ ]
886
+ },
887
+ {
888
+ "id": "insufficient_security_configurability",
889
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
890
+ "children": [
891
+ {
892
+ "id": "no_password_policy",
893
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
894
+ },
895
+ {
896
+ "id": "weak_password_reset_implementation",
897
+ "children": [
898
+ {
899
+ "id": "token_is_not_invalidated_after_use",
900
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
901
+ }
902
+ ]
903
+ },
904
+ {
905
+ "id": "weak_two_fa_implementation",
906
+ "children": [
907
+ {
908
+ "id": "two_fa_secret_cannot_be_rotated",
909
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
910
+ },
911
+ {
912
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
913
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
914
+ }
915
+ ]
916
+ }
917
+ ]
918
+ },
919
+ {
920
+ "id": "lack_of_binary_hardening",
921
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
922
+ },
923
+ {
924
+ "id": "misinterpretation_biases",
925
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
926
+ },
927
+ {
928
+ "id": "mobile_security_misconfiguration",
929
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
930
+ "children": [
931
+ {
932
+ "id": "auto_backup_allowed_by_default",
933
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
934
+ },
935
+ {
936
+ "id": "clipboard_enabled",
937
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
938
+ }
939
+ ]
940
+ },
941
+ {
942
+ "id": "network_security_misconfiguration",
943
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
944
+ },
945
+ {
946
+ "id": "physical_security_issues",
947
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
948
+ "children": [
949
+ {
950
+ "id": "weakness_in_physical_access_control",
951
+ "children": [
952
+ {
953
+ "id": "commonly_keyed_system",
954
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
955
+ }
956
+ ]
957
+ }
958
+ ]
959
+ },
960
+ {
961
+ "id": "privacy_concerns",
962
+ "children": [
963
+ {
964
+ "id": "unnecessary_data_collection",
965
+ "children": [
966
+ {
967
+ "id": "wifi_ssid_password",
968
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
969
+ }
970
+ ]
971
+ }
972
+ ]
973
+ },
974
+ {
975
+ "id": "protocol_specific_misconfiguration",
976
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
977
+ },
978
+ {
979
+ "id": "sensitive_data_exposure",
980
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
981
+ "children": [
982
+ {
983
+ "id": "disclosure_of_secrets",
984
+ "children": [
985
+ {
986
+ "id": "for_internal_asset",
987
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
988
+ },
989
+ {
990
+ "id": "for_publicly_accessible_asset",
991
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
992
+ },
993
+ {
994
+ "id": "pay_per_use_abuse",
995
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
996
+ }
997
+ ]
998
+ },
999
+ {
1000
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
1001
+ "children": [
1002
+ {
1003
+ "id": "automatic_user_enumeration",
1004
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
1005
+ },
1006
+ {
1007
+ "id": "manual_user_enumeration",
1008
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1009
+ }
1010
+ ]
1011
+ },
1012
+ {
1013
+ "id": "graphql_introspection_enabled",
1014
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
1015
+ },
1016
+ {
1017
+ "id": "json_hijacking",
1018
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
1019
+ },
1020
+ {
1021
+ "id": "mixed_content",
1022
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
1023
+ },
1024
+ {
1025
+ "id": "non_sensitive_token_in_url",
1026
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1027
+ },
1028
+ {
1029
+ "id": "sensitive_token_in_url",
1030
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
1031
+ },
1032
+ {
1033
+ "id": "token_leakage_via_referer",
1034
+ "children": [
1035
+ {
1036
+ "id": "over_http",
1037
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
1038
+ },
1039
+ {
1040
+ "id": "password_reset_token",
1041
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1042
+ },
1043
+ {
1044
+ "id": "trusted_third_party",
1045
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
1046
+ },
1047
+ {
1048
+ "id": "untrusted_third_party",
1049
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
1050
+ }
1051
+ ]
1052
+ },
1053
+ {
1054
+ "id": "via_localstorage_sessionstorage",
1055
+ "children": [
1056
+ {
1057
+ "id": "non_sensitive_token",
1058
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1059
+ },
1060
+ {
1061
+ "id": "sensitive_token",
1062
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1063
+ }
1064
+ ]
1065
+ },
1066
+ {
1067
+ "id": "visible_detailed_error_page",
1068
+ "children": [
1069
+ {
1070
+ "id": "detailed_server_configuration",
1071
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
1072
+ }
1073
+ ]
1074
+ },
1075
+ {
1076
+ "id": "weak_password_reset_implementation",
1077
+ "children": [
1078
+ {
1079
+ "id": "token_leakage_via_host_header_poisoning",
1080
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
1081
+ }
1082
+ ],
1083
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"
1084
+ }
1085
+ ]
1086
+ },
1087
+ {
1088
+ "id": "server_security_misconfiguration",
1089
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1090
+ "children": [
1091
+ {
1092
+ "id": "bitsquatting",
1093
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1094
+ },
1095
+ {
1096
+ "id": "captcha",
1097
+ "children": [
1098
+ {
1099
+ "id": "brute_force",
1100
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1101
+ },
1102
+ {
1103
+ "id": "implementation_vulnerability",
1104
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1105
+ }
1106
+ ]
1107
+ },
1108
+ {
1109
+ "id": "clickjacking",
1110
+ "children": [
1111
+ {
1112
+ "id": "form_input",
1113
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
1114
+ },
1115
+ {
1116
+ "id": "non_sensitive_action",
1117
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
1118
+ },
1119
+ {
1120
+ "id": "sensitive_action",
1121
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
1122
+ }
1123
+ ]
1124
+ },
1125
+ {
1126
+ "id": "dbms_misconfiguration",
1127
+ "children": [
1128
+ {
1129
+ "id": "excessively_privileged_user_dba",
1130
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
1131
+ }
1132
+ ]
1133
+ },
1134
+ {
1135
+ "id": "email_verification_bypass",
1136
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1137
+ },
1138
+ {
1139
+ "id": "exposed_portal",
1140
+ "children": [
1141
+ {
1142
+ "id": "admin_portal",
1143
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1144
+ },
1145
+ {
1146
+ "id": "non_admin_portal",
1147
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
1148
+ },
1149
+ {
1150
+ "id": "protected",
1151
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1152
+ }
1153
+ ]
1154
+ },
1155
+ {
1156
+ "id": "insecure_ssl",
1157
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1158
+ },
1159
+ {
1160
+ "id": "lack_of_password_confirmation",
1161
+ "children": [
1162
+ {
1163
+ "id": "manage_two_fa",
1164
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
1165
+ }
1166
+ ],
1167
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
1168
+ },
1169
+ {
1170
+ "id": "lack_of_security_headers",
1171
+ "children": [
1172
+ {
1173
+ "id": "cache_control_for_a_sensitive_page",
1174
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1175
+ }
1176
+ ],
1177
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1178
+ },
1179
+ {
1180
+ "id": "mail_server_misconfiguration",
1181
+ "children": [
1182
+ {
1183
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
1184
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
1185
+ },
1186
+ {
1187
+ "id": "no_spoofing_protection_on_email_domain",
1188
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
1189
+ }
1190
+ ]
1191
+ },
1192
+ {
1193
+ "id": "misconfigured_dns",
1194
+ "children": [
1195
+ {
1196
+ "id": "missing_caa_record",
1197
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1198
+ },
1199
+ {
1200
+ "id": "subdomain_takeover",
1201
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
1202
+ },
1203
+ {
1204
+ "id": "zone_transfer",
1205
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
1206
+ }
1207
+ ]
1208
+ },
1209
+ {
1210
+ "id": "missing_dnssec",
1211
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1212
+ },
1213
+ {
1214
+ "id": "missing_secure_or_httponly_cookie_flag",
1215
+ "children": [
1216
+ {
1217
+ "id": "session_token",
1218
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1219
+ }
1220
+ ]
1221
+ },
1222
+ {
1223
+ "id": "missing_subresource_integrity",
1224
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
1225
+ },
1226
+ {
1227
+ "id": "no_rate_limiting_on_form",
1228
+ "children": [
1229
+ {
1230
+ "id": "change_password",
1231
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
1232
+ },
1233
+ {
1234
+ "id": "login",
1235
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
1236
+ }
1237
+ ],
1238
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"
1239
+ },
1240
+ {
1241
+ "id": "oauth_misconfiguration",
1242
+ "children": [
1243
+ {
1244
+ "id": "account_squatting",
1245
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
1246
+ },
1247
+ {
1248
+ "id": "account_takeover",
1249
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
1250
+ },
1251
+ {
1252
+ "id": "insecure_redirect_uri",
1253
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1254
+ },
1255
+ {
1256
+ "id": "missing_state_parameter",
1257
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1258
+ }
1259
+ ],
1260
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
1261
+ },
1262
+ {
1263
+ "id": "rfd",
1264
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
1265
+ },
1266
+ {
1267
+ "id": "same_site_scripting",
1268
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
1269
+ },
1270
+ {
1271
+ "id": "server_side_request_forgery_ssrf",
1272
+ "children": [
1273
+ {
1274
+ "id": "external_dns_query_only",
1275
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
1276
+ },
1277
+ {
1278
+ "id": "external_low_impact",
1279
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
1280
+ },
1281
+ {
1282
+ "id": "internal_high_impact",
1283
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
1284
+ },
1285
+ {
1286
+ "id": "internal_scan_and_or_medium_impact",
1287
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
1288
+ }
1289
+ ]
1290
+ },
1291
+ {
1292
+ "id": "unsafe_file_upload",
1293
+ "children": [
1294
+ {
1295
+ "id": "no_antivirus",
1296
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
1297
+ },
1298
+ {
1299
+ "id": "no_size_limit",
1300
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1301
+ }
1302
+ ]
1303
+ },
1304
+ {
1305
+ "id": "using_default_credentials",
1306
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
1307
+ },
1308
+ {
1309
+ "id": "waf_bypass",
1310
+ "children": [
1311
+ {
1312
+ "id": "direct_server_access",
1313
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
1314
+ }
1315
+ ]
1316
+ }
1317
+ ]
1318
+ },
1319
+ {
1320
+ "id": "server_side_injection",
1321
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1322
+ "children": [
1323
+ {
1324
+ "id": "content_spoofing",
1325
+ "children": [
1326
+ {
1327
+ "id": "email_html_injection",
1328
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
1329
+ },
1330
+ {
1331
+ "id": "external_authentication_injection",
1332
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
1333
+ },
1334
+ {
1335
+ "id": "html_content_injection",
1336
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1337
+ },
1338
+ {
1339
+ "id": "iframe_injection",
1340
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
1341
+ },
1342
+ {
1343
+ "id": "impersonation_via_broken_link_hijacking",
1344
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
1345
+ }
1346
+ ],
1347
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1348
+ },
1349
+ {
1350
+ "id": "file_inclusion",
1351
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
1352
+ },
1353
+ {
1354
+ "id": "http_response_manipulation",
1355
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
1356
+ },
1357
+ {
1358
+ "id": "remote_code_execution_rce",
1359
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1360
+ },
1361
+ {
1362
+ "id": "sql_injection",
1363
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
1364
+ },
1365
+ {
1366
+ "id": "ssti",
1367
+ "children": [
1368
+ {
1369
+ "id": "basic",
1370
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
1371
+ }
1372
+ ]
1373
+ },
1374
+ {
1375
+ "id": "xml_external_entity_injection_xxe",
1376
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
1377
+ }
1378
+ ]
1379
+ },
1380
+ {
1381
+ "id": "smart_contract_misconfiguration",
1382
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1383
+ },
1384
+ {
1385
+ "id": "societal_biases",
1386
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1387
+ },
1388
+ {
1389
+ "id": "unvalidated_redirects_and_forwards",
1390
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1391
+ "children": [
1392
+ {
1393
+ "id": "open_redirect",
1394
+ "children": [
1395
+ {
1396
+ "id": "get_based",
1397
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
1398
+ }
1399
+ ]
1400
+ }
1401
+ ]
1402
+ },
1403
+ {
1404
+ "id": "using_components_with_known_vulnerabilities",
1405
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
1406
+ "children": [
1407
+ {
1408
+ "id": "rosetta_flash",
1409
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
1410
+ }
1411
+ ]
1412
+ },
1413
+ {
1414
+ "id": "zero_knowledge_security_misconfiguration",
1415
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1416
+ }
1417
+ ]
1418
+ }