vrt 0.7.1 → 0.11.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (65) hide show
  1. checksums.yaml +5 -5
  2. data/lib/data/1.10.1/deprecated-node-mapping.json +200 -0
  3. data/lib/data/1.10.1/mappings/cvss_v3/cvss_v3.json +1074 -0
  4. data/lib/data/1.10.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.10.1/mappings/cwe/cwe.json +477 -0
  6. data/lib/data/1.10.1/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.10.1/mappings/remediation_advice/remediation_advice.json +1543 -0
  8. data/lib/data/1.10.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.10.1/third-party-mappings/remediation_training/secure-code-warrior-links.json +348 -0
  10. data/lib/data/1.10.1/vrt.schema.json +63 -0
  11. data/lib/data/1.10.1/vulnerability-rating-taxonomy.json +2171 -0
  12. data/lib/data/1.10/deprecated-node-mapping.json +200 -0
  13. data/lib/data/1.10/mappings/cvss_v3/cvss_v3.json +1074 -0
  14. data/lib/data/1.10/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.10/mappings/cwe/cwe.json +477 -0
  16. data/lib/data/1.10/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.10/mappings/remediation_advice/remediation_advice.json +1543 -0
  18. data/lib/data/1.10/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.10/third-party-mappings/remediation_training/secure-code-warriors-links.json +348 -0
  20. data/lib/data/1.10/vrt.schema.json +63 -0
  21. data/lib/data/1.10/vulnerability-rating-taxonomy.json +2171 -0
  22. data/lib/data/1.7.1/deprecated-node-mapping.json +149 -0
  23. data/lib/data/1.7.1/mappings/cvss_v3/cvss_v3.json +928 -0
  24. data/lib/data/1.7.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  25. data/lib/data/1.7.1/mappings/cwe/cwe.json +441 -0
  26. data/lib/data/1.7.1/mappings/cwe/cwe.schema.json +63 -0
  27. data/lib/data/1.7.1/mappings/remediation_advice/remediation_advice.json +1354 -0
  28. data/lib/data/1.7.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  29. data/lib/data/1.7.1/vrt.schema.json +63 -0
  30. data/lib/data/1.7.1/vulnerability-rating-taxonomy.json +1937 -0
  31. data/lib/data/1.7/deprecated-node-mapping.json +149 -0
  32. data/lib/data/1.7/mappings/cvss_v3/cvss_v3.json +861 -0
  33. data/lib/data/1.7/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  34. data/lib/data/1.7/mappings/cwe/cwe.json +441 -0
  35. data/lib/data/1.7/mappings/cwe/cwe.schema.json +63 -0
  36. data/lib/data/1.7/mappings/remediation_advice/remediation_advice.json +1230 -0
  37. data/lib/data/1.7/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  38. data/lib/data/1.7/vrt.schema.json +63 -0
  39. data/lib/data/1.7/vulnerability-rating-taxonomy.json +1937 -0
  40. data/lib/data/1.8/deprecated-node-mapping.json +149 -0
  41. data/lib/data/1.8/mappings/cvss_v3/cvss_v3.json +935 -0
  42. data/lib/data/1.8/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  43. data/lib/data/1.8/mappings/cwe/cwe.json +453 -0
  44. data/lib/data/1.8/mappings/cwe/cwe.schema.json +63 -0
  45. data/lib/data/1.8/mappings/remediation_advice/remediation_advice.json +1381 -0
  46. data/lib/data/1.8/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  47. data/lib/data/1.8/vrt.schema.json +63 -0
  48. data/lib/data/1.8/vulnerability-rating-taxonomy.json +1948 -0
  49. data/lib/data/1.9/deprecated-node-mapping.json +158 -0
  50. data/lib/data/1.9/mappings/cvss_v3/cvss_v3.json +1002 -0
  51. data/lib/data/1.9/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  52. data/lib/data/1.9/mappings/cwe/cwe.json +457 -0
  53. data/lib/data/1.9/mappings/cwe/cwe.schema.json +63 -0
  54. data/lib/data/1.9/mappings/remediation_advice/remediation_advice.json +1409 -0
  55. data/lib/data/1.9/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  56. data/lib/data/1.9/vrt.schema.json +63 -0
  57. data/lib/data/1.9/vulnerability-rating-taxonomy.json +2053 -0
  58. data/lib/generators/vrt/install_generator.rb +1 -1
  59. data/lib/vrt.rb +2 -0
  60. data/lib/vrt/cross_version_mapping.rb +3 -2
  61. data/lib/vrt/errors.rb +5 -0
  62. data/lib/vrt/map.rb +8 -5
  63. data/lib/vrt/mapping.rb +12 -1
  64. data/lib/vrt/version.rb +1 -1
  65. metadata +92 -32
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 4d2c3bc4410dd58220933a1c508fc52ea0e2e7ae
4
- data.tar.gz: 2f6ebbb171e77556b87b183ddbebadc98d5d4e6a
2
+ SHA256:
3
+ metadata.gz: 3e72aff10fc7d7e4541d82abe72ea1a27d15bf081f0680486bacf8dad8e24401
4
+ data.tar.gz: 9f36f73bdb60ffa38c54b0b3d77070e54bbea90040460f70178db30ac9f6cd6c
5
5
  SHA512:
6
- metadata.gz: 23101417ef47848ac60e8ac0e9454b5b287575a673ddecb9987718d2153f0e3f48d5e94f7d9fff46cbd8cbf6b3cbf21e099960ea10593d17890f772910c6b816
7
- data.tar.gz: adfdf08e4fc4bfa8f3051fa778f458a7d2933583572b3cc632d75c2c61765683eaff805f1684f4998a1e910f46de7e431f17e99a5057b82d43f19cdb9396da71
6
+ metadata.gz: c669431d70441701c9a648304d077b1d9675c83895430d0b396f42d32d9856ecc303619e710e563642cc1bf18dde41ec36d8dbe009ac1e12da7abe4419d100a5
7
+ data.tar.gz: 55ec6e249e5371bea5a8adbba3eeb8a026b504b9f8b4de6ce4d369e7d8a5b33de752d0c5414b3fb7c2cba23cfbd653aa940689dfd4010dc55d8a4909727feae6
@@ -0,0 +1,200 @@
1
+ {
2
+ "poor_physical_security": {
3
+ "1.1": "other"
4
+ },
5
+ "social_engineering": {
6
+ "1.1": "other"
7
+ },
8
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
9
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
10
+ },
11
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
12
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
13
+ },
14
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated": {
15
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
16
+ },
17
+ "broken_authentication_and_session_management.session_token_in_url.over_https": {
18
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
19
+ },
20
+ "broken_authentication_and_session_management.session_token_in_url.over_http": {
21
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
22
+ },
23
+ "broken_authentication_and_session_management.session_token_in_url": {
24
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
25
+ },
26
+ "insecure_data_transport": {
27
+ "1.2": "mobile_security_misconfiguration"
28
+ },
29
+ "insecure_data_transport.ssl_certificate_pinning": {
30
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning"
31
+ },
32
+ "insecure_data_transport.ssl_certificate_pinning.absent": {
33
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.absent"
34
+ },
35
+ "insecure_data_transport.ssl_certificate_pinning.defeatable": {
36
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.defeatable"
37
+ },
38
+ "insecure_data_storage.credentials_stored_unencrypted": {
39
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted"
40
+ },
41
+ "insecure_data_storage.credentials_stored_unencrypted.on_external_storage": {
42
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_external_storage"
43
+ },
44
+ "insecure_data_storage.credentials_stored_unencrypted.on_internal_storage": {
45
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_internal_storage"
46
+ },
47
+ "insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced": {
48
+ "1.2": "insufficient_security_configurability.no_password_policy"
49
+ },
50
+ "missing_function_level_access_control": {
51
+ "1.3": "broken_access_control"
52
+ },
53
+ "missing_function_level_access_control.server_side_request_forgery_ssrf": {
54
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf"
55
+ },
56
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.internal": {
57
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.internal"
58
+ },
59
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.external": {
60
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.external"
61
+ },
62
+ "missing_function_level_access_control.username_enumeration": {
63
+ "1.3": "broken_access_control.username_enumeration"
64
+ },
65
+ "missing_function_level_access_control.username_enumeration.data_leak": {
66
+ "1.3": "broken_access_control.username_enumeration.data_leak"
67
+ },
68
+ "missing_function_level_access_control.exposed_sensitive_android_intent": {
69
+ "1.3": "broken_access_control.exposed_sensitive_android_intent"
70
+ },
71
+ "missing_function_level_access_control.exposed_sensitive_ios_url_scheme": {
72
+ "1.3": "broken_access_control.exposed_sensitive_ios_url_scheme"
73
+ },
74
+ "insecure_direct_object_references_idor": {
75
+ "1.3": "broken_access_control.idor"
76
+ },
77
+ "broken_authentication_and_session_management.weak_login_function.over_http": {
78
+ "1.4": "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default"
79
+ },
80
+ "cross_site_scripting_xss.ie_only.older_version_ie_10_11": {
81
+ "1.4": "cross_site_scripting_xss.ie_only.ie11"
82
+ },
83
+ "cross_site_scripting_xss.ie_only.older_version_ie10": {
84
+ "1.4": "cross_site_scripting_xss.ie_only.older_version_ie11"
85
+ },
86
+ "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_reset": {
87
+ "1.4": "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change"
88
+ },
89
+ "network_security_misconfiguration.telnet_enabled.credentials_required": {
90
+ "1.4": "broken_authentication_and_session_management.weak_login_function.other_plaintext_protocol_no_secure_alternative"
91
+ },
92
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_email_domain": {
93
+ "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
94
+ },
95
+ "server_security_misconfiguration.mail_server_misconfiguration.email_spoofable_via_third_party_api_misconfiguration": {
96
+ "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
97
+ },
98
+ "cross_site_scripting_xss.stored.admin_to_anyone": {
99
+ "1.5": "cross_site_scripting_xss.stored.privileged_user_to_privilege_elevation"
100
+ },
101
+ "server_security_misconfiguration.misconfigured_dns.subdomain_takeover": {
102
+ "1.5": "server_security_misconfiguration.misconfigured_dns.basic_subdomain_takeover"
103
+ },
104
+ "server_security_misconfiguration.captcha_bypass": {
105
+ "1.5": "server_security_misconfiguration.captcha"
106
+ },
107
+ "server_security_misconfiguration.captcha_bypass.implementation_vulnerability": {
108
+ "1.5": "server_security_misconfiguration.captcha.implementation_vulnerability"
109
+ },
110
+ "server_security_misconfiguration.captcha_bypass.brute_force": {
111
+ "1.5": "server_security_misconfiguration.captcha.brute_force"
112
+ },
113
+ "broken_access_control.server_side_request_forgery_ssrf.internal": {
114
+ "1.6": "broken_access_control.server_side_request_forgery_ssrf.internal_high_impact"
115
+ },
116
+ "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain": {
117
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain"
118
+ },
119
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_non_email_domain": {
120
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
121
+ },
122
+ "server_security_misconfiguration.mail_server_misconfiguration.spf_uses_a_soft_fail": {
123
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
124
+ },
125
+ "server_security_misconfiguration.mail_server_misconfiguration.spf_includes_10_lookups": {
126
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
127
+ },
128
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc": {
129
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain"
130
+ },
131
+ "broken_access_control.username_enumeration.data_leak": {
132
+ "1.7": "broken_access_control.username_enumeration.non_brute_force"
133
+ },
134
+ "insufficient_security_configurability.weak_2fa_implementation": {
135
+ "1.7": "insufficient_security_configurability.weak_two_fa_implementation"
136
+ },
137
+ "sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party": {
138
+ "1.7": "sensitive_data_exposure.token_leakage_via_referer.trusted_third_party"
139
+ },
140
+ "sensitive_data_exposure.token_leakage_via_referer.untrusted_3rd_party": {
141
+ "1.7": "sensitive_data_exposure.token_leakage_via_referer.untrusted_third_party"
142
+ },
143
+ "cross_site_scripting_xss.ie_only.ie11": {
144
+ "1.7": "cross_site_scripting_xss.ie_only.ie_eleven"
145
+ },
146
+ "cross_site_scripting_xss.ie_only.older_version_ie11": {
147
+ "1.7": "cross_site_scripting_xss.ie_only.older_version_ie_eleven"
148
+ },
149
+ "sensitive_data_exposure.critically_sensitive_data.password_disclosure": {
150
+ "1.9": "sensitive_data_exposure.disclosure_of_secrets"
151
+ },
152
+ "sensitive_data_exposure.critically_sensitive_data.private_api_keys": {
153
+ "1.9": "sensitive_data_exposure.disclosure_of_secrets"
154
+ },
155
+ "sensitive_data_exposure.critically_sensitive_data": {
156
+ "1.9": "sensitive_data_exposure"
157
+ },
158
+ "insufficient_security_configurability.lack_of_verification_email": {
159
+ "1.10": "insufficient_security_configurability.verification_of_contact_method_not_required"
160
+ },
161
+ "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default": {
162
+ "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
163
+ },
164
+ "broken_authentication_and_session_management.weak_login_function.http_and_https_available": {
165
+ "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
166
+ },
167
+ "broken_authentication_and_session_management.weak_login_function.lan_only": {
168
+ "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
169
+ },
170
+ "cross_site_request_forgery_csrf.flash_based.high_impact": {
171
+ "1.10": "cross_site_request_forgery_csrf.flash_based"
172
+ },
173
+ "cross_site_request_forgery_csrf.flash_based.low_impact": {
174
+ "1.10": "cross_site_request_forgery_csrf.flash_based"
175
+ },
176
+ "automotive_security_misconfiguration.infotainment": {
177
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit"
178
+ },
179
+ "automotive_security_misconfiguration.infotainment.pii_leakage": {
180
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage"
181
+ },
182
+ "automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot": {
183
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_can_bus_pivot"
184
+ },
185
+ "automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot": {
186
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_no_can_bus_pivot"
187
+ },
188
+ "automotive_security_misconfiguration.infotainment.unauthorized_access_to_services": {
189
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.unauthorized_access_to_services"
190
+ },
191
+ "automotive_security_misconfiguration.infotainment.source_code_dump": {
192
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.source_code_dump"
193
+ },
194
+ "automotive_security_misconfiguration.infotainment.dos_brick": {
195
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.dos_brick"
196
+ },
197
+ "automotive_security_misconfiguration.infotainment.default_credentials": {
198
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.default_credentials"
199
+ }
200
+ }
@@ -0,0 +1,1074 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "children": [
9
+ {
10
+ "id": "unsafe_cross_origin_resource_sharing",
11
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
12
+ },
13
+ {
14
+ "id": "path_traversal",
15
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
16
+ },
17
+ {
18
+ "id": "directory_listing_enabled",
19
+ "children": [
20
+ {
21
+ "id": "sensitive_data_exposure",
22
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
23
+ },
24
+ {
25
+ "id": "non_sensitive_data_exposure",
26
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
27
+ }
28
+ ]
29
+ },
30
+ {
31
+ "id": "same_site_scripting",
32
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
33
+ },
34
+ {
35
+ "id": "ssl_attack_breach_poodle_etc",
36
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
37
+ },
38
+ {
39
+ "id": "using_default_credentials",
40
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
41
+ },
42
+ {
43
+ "id": "misconfigured_dns",
44
+ "children": [
45
+ {
46
+ "id": "basic_subdomain_takeover",
47
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
48
+ },
49
+ {
50
+ "id": "high_impact_subdomain_takeover",
51
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
52
+ },
53
+ {
54
+ "id": "zone_transfer",
55
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
56
+ },
57
+ {
58
+ "id": "missing_caa_record",
59
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
60
+ }
61
+ ]
62
+ },
63
+ {
64
+ "id": "mail_server_misconfiguration",
65
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
66
+ "children": [
67
+ {
68
+ "id": "no_spoofing_protection_on_email_domain",
69
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
70
+ },
71
+ {
72
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
73
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
74
+ }
75
+ ]
76
+ },
77
+ {
78
+ "id": "dbms_misconfiguration",
79
+ "children": [
80
+ {
81
+ "id": "excessively_privileged_user_dba",
82
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
83
+ }
84
+ ]
85
+ },
86
+ {
87
+ "id": "lack_of_password_confirmation",
88
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
89
+ "children": [
90
+ {
91
+ "id": "manage_two_fa",
92
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
93
+ }
94
+ ]
95
+ },
96
+ {
97
+ "id": "no_rate_limiting_on_form",
98
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
99
+ "children": [
100
+ {
101
+ "id": "login",
102
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
103
+ },
104
+ {
105
+ "id": "change_password",
106
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
107
+ }
108
+ ]
109
+ },
110
+ {
111
+ "id": "unsafe_file_upload",
112
+ "children": [
113
+ {
114
+ "id": "no_antivirus",
115
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
116
+ },
117
+ {
118
+ "id": "no_size_limit",
119
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
120
+ },
121
+ {
122
+ "id": "file_extension_filter_bypass",
123
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
124
+ }
125
+ ]
126
+ },
127
+ {
128
+ "id": "cookie_scoped_to_parent_domain",
129
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
130
+ },
131
+ {
132
+ "id": "missing_secure_or_httponly_cookie_flag",
133
+ "children": [
134
+ {
135
+ "id": "session_token",
136
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
137
+ },
138
+ {
139
+ "id": "non_session_cookie",
140
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
141
+ }
142
+ ]
143
+ },
144
+ {
145
+ "id": "clickjacking",
146
+ "children": [
147
+ {
148
+ "id": "sensitive_action",
149
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
150
+ },
151
+ {
152
+ "id": "form_input",
153
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
154
+ },
155
+ {
156
+ "id": "non_sensitive_action",
157
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
158
+ }
159
+ ]
160
+ },
161
+ {
162
+ "id": "oauth_misconfiguration",
163
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
164
+ "children": [
165
+ {
166
+ "id": "account_takeover",
167
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
168
+ },
169
+ {
170
+ "id": "account_squatting",
171
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
172
+ }
173
+ ]
174
+ },
175
+ {
176
+ "id": "captcha",
177
+ "children": [
178
+ {
179
+ "id": "implementation_vulnerability",
180
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
181
+ },
182
+ {
183
+ "id": "brute_force",
184
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
185
+ },
186
+ {
187
+ "id": "missing",
188
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
189
+ }
190
+ ]
191
+ },
192
+ {
193
+ "id": "exposed_admin_portal",
194
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
195
+ },
196
+ {
197
+ "id": "missing_dnssec",
198
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
199
+ },
200
+ {
201
+ "id": "fingerprinting_banner_disclosure",
202
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
203
+ },
204
+ {
205
+ "id": "username_enumeration",
206
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
207
+ },
208
+ {
209
+ "id": "potentially_unsafe_http_method_enabled",
210
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
211
+ },
212
+ {
213
+ "id": "insecure_ssl",
214
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
215
+ },
216
+ {
217
+ "id": "rfd",
218
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
219
+ },
220
+ {
221
+ "id": "lack_of_security_headers",
222
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
223
+ "children": [
224
+ {
225
+ "id": "cache_control_for_a_sensitive_page",
226
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
227
+ }
228
+ ]
229
+ },
230
+ {
231
+ "id": "waf_bypass",
232
+ "children": [
233
+ {
234
+ "id": "direct_server_access",
235
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
236
+ }
237
+ ]
238
+ },
239
+ {
240
+ "id": "race_condition",
241
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
242
+ },
243
+ {
244
+ "id": "cache_poisoning",
245
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
246
+ },
247
+ {
248
+ "id": "bitsquatting",
249
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
250
+ }
251
+ ]
252
+ },
253
+ {
254
+ "id": "server_side_injection",
255
+ "children": [
256
+ {
257
+ "id": "file_inclusion",
258
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
259
+ },
260
+ {
261
+ "id": "parameter_pollution",
262
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
263
+ },
264
+ {
265
+ "id": "remote_code_execution_rce",
266
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
267
+ },
268
+ {
269
+ "id": "sql_injection",
270
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
271
+ },
272
+ {
273
+ "id": "xml_external_entity_injection_xxe",
274
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
275
+ },
276
+ {
277
+ "id": "http_response_manipulation",
278
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
279
+ },
280
+ {
281
+ "id": "content_spoofing",
282
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
283
+ "children": [
284
+ {
285
+ "id": "iframe_injection",
286
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
287
+ },
288
+ {
289
+ "id": "impersonation_via_broken_link_hijacking",
290
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
291
+ },
292
+ {
293
+ "id": "external_authentication_injection",
294
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
295
+ },
296
+ {
297
+ "id": "flash_based_external_authentication_injection",
298
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
299
+ },
300
+ {
301
+ "id": "email_html_injection",
302
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
303
+ }
304
+ ]
305
+ },
306
+ {
307
+ "id": "ssti",
308
+ "children": [
309
+ {
310
+ "id": "basic",
311
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
312
+ },
313
+ {
314
+ "id": "custom",
315
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
316
+ }
317
+ ]
318
+ }
319
+ ]
320
+ },
321
+ {
322
+ "id": "broken_authentication_and_session_management",
323
+ "children": [
324
+ {
325
+ "id": "authentication_bypass",
326
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
327
+ },
328
+ {
329
+ "id": "two_fa_bypass",
330
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
331
+ },
332
+ {
333
+ "id": "privilege_escalation",
334
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
335
+ },
336
+ {
337
+ "id": "cleartext_transmission_of_session_token",
338
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
339
+ },
340
+ {
341
+ "id": "weak_login_function",
342
+ "children": [
343
+ {
344
+ "id": "not_operational",
345
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
346
+ },
347
+ {
348
+ "id": "other_plaintext_protocol_no_secure_alternative",
349
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
350
+ },
351
+ {
352
+ "id": "over_http",
353
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
354
+ }
355
+ ]
356
+ },
357
+ {
358
+ "id": "session_fixation",
359
+ "children": [
360
+ {
361
+ "id": "remote_attack_vector",
362
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
363
+ },
364
+ {
365
+ "id": "local_attack_vector",
366
+ "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
367
+ }
368
+ ]
369
+ },
370
+ {
371
+ "id": "failure_to_invalidate_session",
372
+ "children": [
373
+ {
374
+ "id": "on_logout",
375
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
376
+ },
377
+ {
378
+ "id": "on_logout_server_side_only",
379
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
380
+ },
381
+ {
382
+ "id": "on_password_change",
383
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
384
+ },
385
+ {
386
+ "id": "all_sessions",
387
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
388
+ },
389
+ {
390
+ "id": "on_email_change",
391
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
392
+ },
393
+ {
394
+ "id": "on_two_fa_activation_change",
395
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
396
+ },
397
+ {
398
+ "id": "long_timeout",
399
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
400
+ }
401
+ ]
402
+ },
403
+ {
404
+ "id": "concurrent_logins",
405
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
406
+ },
407
+ {
408
+ "id": "weak_registration_implementation",
409
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
410
+ }
411
+ ]
412
+ },
413
+ {
414
+ "id": "sensitive_data_exposure",
415
+ "children": [
416
+ {
417
+ "id": "disclosure_of_secrets",
418
+ "children": [
419
+ {
420
+ "id": "for_publicly_accessible_asset",
421
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
422
+ },
423
+ {
424
+ "id": "for_internal_asset",
425
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
426
+ },
427
+ {
428
+ "id": "pay_per_use_abuse",
429
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
430
+ },
431
+ {
432
+ "id": "intentionally_public_sample_or_invalid",
433
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
434
+ },
435
+ {
436
+ "id": "data_traffic_spam",
437
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
438
+ },
439
+ {
440
+ "id": "non_corporate_user",
441
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
442
+ }
443
+ ]
444
+ },
445
+ {
446
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
447
+ "children": [
448
+ {
449
+ "id": "automatic_user_enumeration",
450
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
451
+ },
452
+ {
453
+ "id": "manual_user_enumeration",
454
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
455
+ }
456
+ ]
457
+ },
458
+ {
459
+ "id": "visible_detailed_error_page",
460
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
461
+ "children": [
462
+ {
463
+ "id": "detailed_server_configuration",
464
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
465
+ }
466
+ ]
467
+ },
468
+ {
469
+ "id": "disclosure_of_known_public_information",
470
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
471
+ },
472
+ {
473
+ "id": "token_leakage_via_referer",
474
+ "children": [
475
+ {
476
+ "id": "trusted_third_party",
477
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
478
+ },
479
+ {
480
+ "id": "untrusted_third_party",
481
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
482
+ },
483
+ {
484
+ "id": "over_http",
485
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
486
+ }
487
+ ]
488
+ },
489
+ {
490
+ "id": "sensitive_token_in_url",
491
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
492
+ },
493
+ {
494
+ "id": "non_sensitive_token_in_url",
495
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
496
+ },
497
+ {
498
+ "id": "weak_password_reset_implementation",
499
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
500
+ "children": [
501
+ {
502
+ "id": "token_leakage_via_host_header_poisoning",
503
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
504
+ }
505
+ ]
506
+ },
507
+ {
508
+ "id": "mixed_content",
509
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
510
+ },
511
+ {
512
+ "id": "sensitive_data_hardcoded",
513
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
514
+ },
515
+ {
516
+ "id": "internal_ip_disclosure",
517
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
518
+ },
519
+ {
520
+ "id": "xssi",
521
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
522
+ },
523
+ {
524
+ "id": "json_hijacking",
525
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
526
+ },
527
+ {
528
+ "id": "via_localstorage_sessionstorage",
529
+ "children": [
530
+ {
531
+ "id": "sensitive_token",
532
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
533
+ },
534
+ {
535
+ "id": "non_sensitive_token",
536
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
537
+ }
538
+ ]
539
+ }
540
+ ]
541
+ },
542
+ {
543
+ "id": "cross_site_scripting_xss",
544
+ "children": [
545
+ {
546
+ "id": "stored",
547
+ "children": [
548
+ {
549
+ "id": "non_admin_to_anyone",
550
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
551
+ },
552
+ {
553
+ "id": "privileged_user_to_privilege_elevation",
554
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
555
+ },
556
+ {
557
+ "id": "privileged_user_to_no_privilege_elevation",
558
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
559
+ },
560
+ {
561
+ "id": "url_based",
562
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
563
+ },
564
+ {
565
+ "id": "self",
566
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
567
+ }
568
+ ]
569
+ },
570
+ {
571
+ "id": "reflected",
572
+ "children": [
573
+ {
574
+ "id": "non_self",
575
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
576
+ },
577
+ {
578
+ "id": "self",
579
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
580
+ }
581
+ ]
582
+ },
583
+ {
584
+ "id": "flash_based",
585
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
586
+ },
587
+ {
588
+ "id": "cookie_based",
589
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
590
+ },
591
+ {
592
+ "id": "ie_only",
593
+ "children": [
594
+ {
595
+ "id": "ie_eleven",
596
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
597
+ },
598
+ {
599
+ "id": "xss_filter_disabled",
600
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
601
+ },
602
+ {
603
+ "id": "older_version_ie_eleven",
604
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
605
+ }
606
+ ]
607
+ },
608
+ {
609
+ "id": "referer",
610
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
611
+ },
612
+ {
613
+ "id": "trace_method",
614
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
615
+ },
616
+ {
617
+ "id": "universal_uxss",
618
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
619
+ },
620
+ {
621
+ "id": "off_domain",
622
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
623
+ }
624
+ ]
625
+ },
626
+ {
627
+ "id": "broken_access_control",
628
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
629
+ "children": [
630
+ {
631
+ "id": "server_side_request_forgery_ssrf",
632
+ "children": [
633
+ {
634
+ "id": "internal_high_impact",
635
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
636
+ },
637
+ {
638
+ "id": "internal_scan_and_or_medium_impact",
639
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
640
+ },
641
+ {
642
+ "id": "external",
643
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
644
+ }
645
+ ]
646
+ },
647
+ {
648
+ "id": "username_enumeration",
649
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
650
+ }
651
+ ]
652
+ },
653
+ {
654
+ "id": "cross_site_request_forgery_csrf",
655
+ "children": [
656
+ {
657
+ "id": "application_wide",
658
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
659
+ },
660
+ {
661
+ "id": "action_specific",
662
+ "children": [
663
+ {
664
+ "id": "authenticated_action",
665
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
666
+ },
667
+ {
668
+ "id": "unauthenticated_action",
669
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
670
+ },
671
+ {
672
+ "id": "logout",
673
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
674
+ }
675
+ ]
676
+ },
677
+ {
678
+ "id": "csrf_token_not_unique_per_request",
679
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
680
+ },
681
+ {
682
+ "id": "flash_based",
683
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
684
+ }
685
+ ]
686
+ },
687
+ {
688
+ "id": "application_level_denial_of_service_dos",
689
+ "children": [
690
+ {
691
+ "id": "critical_impact_and_or_easy_difficulty",
692
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
693
+ },
694
+ {
695
+ "id": "high_impact_and_or_medium_difficulty",
696
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
697
+ },
698
+ {
699
+ "id": "app_crash",
700
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
701
+ }
702
+ ]
703
+ },
704
+ {
705
+ "id": "unvalidated_redirects_and_forwards",
706
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
707
+ "children": [
708
+ {
709
+ "id": "open_redirect",
710
+ "children": [
711
+ {
712
+ "id": "get_based",
713
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
714
+ }
715
+ ]
716
+ }
717
+ ]
718
+ },
719
+ {
720
+ "id": "external_behavior",
721
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
722
+ },
723
+ {
724
+ "id": "insufficient_security_configurability",
725
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
726
+ "children": [
727
+ {
728
+ "id": "no_password_policy",
729
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
730
+ },
731
+ {
732
+ "id": "weak_password_reset_implementation",
733
+ "children": [
734
+ {
735
+ "id": "token_is_not_invalidated_after_use",
736
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
737
+ }
738
+ ]
739
+ },
740
+ {
741
+ "id": "weak_two_fa_implementation",
742
+ "children": [
743
+ {
744
+ "id": "two_fa_secret_cannot_be_rotated",
745
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
746
+ },
747
+ {
748
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
749
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
750
+ }
751
+ ]
752
+ }
753
+ ]
754
+ },
755
+ {
756
+ "id": "using_components_with_known_vulnerabilities",
757
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
758
+ "children": [
759
+ {
760
+ "id": "rosetta_flash",
761
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
762
+ }
763
+ ]
764
+ },
765
+ {
766
+ "id": "insecure_data_storage",
767
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
768
+ "children": [
769
+ {
770
+ "id": "sensitive_application_data_stored_unencrypted",
771
+ "children": [
772
+ {
773
+ "id": "on_external_storage",
774
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
775
+ }
776
+ ]
777
+ },
778
+ {
779
+ "id": "server_side_credentials_storage",
780
+ "children": [
781
+ {
782
+ "id": "plaintext",
783
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
784
+ }
785
+ ]
786
+ }
787
+ ]
788
+ },
789
+ {
790
+ "id": "lack_of_binary_hardening",
791
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
792
+ },
793
+ {
794
+ "id": "insecure_data_transport",
795
+ "children": [
796
+ {
797
+ "id": "cleartext_transmission_of_sensitive_data",
798
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
799
+ },
800
+ {
801
+ "id": "executable_download",
802
+ "children": [
803
+ {
804
+ "id": "no_secure_integrity_check",
805
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
806
+ },
807
+ {
808
+ "id": "secure_integrity_check",
809
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
810
+ }
811
+ ]
812
+ }
813
+ ]
814
+ },
815
+ {
816
+ "id": "insecure_os_firmware",
817
+ "children": [
818
+ {
819
+ "id": "command_injection",
820
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
821
+ },
822
+ {
823
+ "id": "hardcoded_password",
824
+ "children": [
825
+ {
826
+ "id": "privileged_user",
827
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
828
+ },
829
+ {
830
+ "id": "non_privileged_user",
831
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
832
+ }
833
+ ]
834
+ }
835
+ ]
836
+ },
837
+ {
838
+ "id": "broken_cryptography",
839
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
840
+ },
841
+ {
842
+ "id": "privacy_concerns",
843
+ "children": [
844
+ {
845
+ "id": "unnecessary_data_collection",
846
+ "children": [
847
+ {
848
+ "id": "wifi_ssid_password",
849
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
850
+ }
851
+ ]
852
+ }
853
+ ]
854
+ },
855
+ {
856
+ "id": "network_security_misconfiguration",
857
+ "children": [
858
+ {
859
+ "id": "telnet_enabled",
860
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
861
+ }
862
+ ]
863
+ },
864
+ {
865
+ "id": "mobile_security_misconfiguration",
866
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
867
+ "children": [
868
+ {
869
+ "id": "clipboard_enabled",
870
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
871
+ },
872
+ {
873
+ "id": "auto_backup_allowed_by_default",
874
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
875
+ }
876
+ ]
877
+ },
878
+ {
879
+ "id": "client_side_injection",
880
+ "children": [
881
+ {
882
+ "id": "binary_planting",
883
+ "children": [
884
+ {
885
+ "id": "privilege_escalation",
886
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
887
+ },
888
+ {
889
+ "id": "non_default_folder_privilege_escalation",
890
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
891
+ },
892
+ {
893
+ "id": "no_privilege_escalation",
894
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
895
+ }
896
+ ]
897
+ }
898
+ ]
899
+ },
900
+ {
901
+ "id": "automotive_security_misconfiguration",
902
+ "children": [
903
+ {
904
+ "id": "infotainment_radio_head_unit",
905
+ "children": [
906
+ {
907
+ "id": "pii_leakage",
908
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
909
+ },
910
+ {
911
+ "id": "ota_firmware_manipulation",
912
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
913
+ },
914
+ {
915
+ "id": "code_execution_can_bus_pivot",
916
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
917
+ },
918
+ {
919
+ "id": "code_execution_no_can_bus_pivot",
920
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
921
+ },
922
+ {
923
+ "id": "unauthorized_access_to_services",
924
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
925
+ },
926
+ {
927
+ "id": "source_code_dump",
928
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
929
+ },
930
+ {
931
+ "id": "dos_brick",
932
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
933
+ },
934
+ {
935
+ "id": "default_credentials",
936
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
937
+ }
938
+ ]
939
+ },
940
+ {
941
+ "id": "rf_hub",
942
+ "children": [
943
+ {
944
+ "id": "key_fob_cloning",
945
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
946
+ },
947
+ {
948
+ "id": "can_injection_interaction",
949
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
950
+ },
951
+ {
952
+ "id": "data_leakage_pull_encryption_mechanism",
953
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
954
+ },
955
+ {
956
+ "id": "unauthorized_access_turn_on",
957
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
958
+ },
959
+ {
960
+ "id": "roll_jam",
961
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
962
+ },
963
+ {
964
+ "id": "replay",
965
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
966
+ },
967
+ {
968
+ "id": "relay",
969
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
970
+ }
971
+ ]
972
+ },
973
+ {
974
+ "id": "can",
975
+ "children": [
976
+ {
977
+ "id": "injection_battery_management_system",
978
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
979
+ },
980
+ {
981
+ "id": "injection_steering_control",
982
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
983
+ },
984
+ {
985
+ "id": "injection_pyrotechnical_device_deployment_tool",
986
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
987
+ },
988
+ {
989
+ "id": "injection_headlights",
990
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
991
+ },
992
+ {
993
+ "id": "injection_sensors",
994
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
995
+ },
996
+ {
997
+ "id": "injection_vehicle_anti_theft_systems",
998
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
999
+ },
1000
+ {
1001
+ "id": "injection_powertrain",
1002
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1003
+ },
1004
+ {
1005
+ "id": "injection_basic_safety_message",
1006
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1007
+ },
1008
+ {
1009
+ "id": "injection_disallowed_messages",
1010
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1011
+ },
1012
+ {
1013
+ "id": "injection_dos",
1014
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
1015
+ }
1016
+ ]
1017
+ },
1018
+ {
1019
+ "id": "battery_management_system",
1020
+ "children": [
1021
+ {
1022
+ "id": "firmware_dump",
1023
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
1024
+ },
1025
+ {
1026
+ "id": "fraudulent_interface",
1027
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
1028
+ }
1029
+ ]
1030
+ },
1031
+ {
1032
+ "id": "gnss_gps",
1033
+ "children": [
1034
+ {
1035
+ "id": "spoofing",
1036
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1037
+ }
1038
+ ]
1039
+ },
1040
+ {
1041
+ "id": "immobilizer",
1042
+ "children": [
1043
+ {
1044
+ "id": "engine_start",
1045
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1046
+ }
1047
+ ]
1048
+ },
1049
+ {
1050
+ "id": "abs",
1051
+ "children": [
1052
+ {
1053
+ "id": "unintended_acceleration_brake",
1054
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1055
+ }
1056
+ ]
1057
+ },
1058
+ {
1059
+ "id": "rsu",
1060
+ "children": [
1061
+ {
1062
+ "id": "sybil_attack",
1063
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
1064
+ }
1065
+ ]
1066
+ }
1067
+ ]
1068
+ },
1069
+ {
1070
+ "id": "indicators_of_compromise",
1071
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1072
+ }
1073
+ ]
1074
+ }