vrt 0.7.1 → 0.11.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (65) hide show
  1. checksums.yaml +5 -5
  2. data/lib/data/1.10.1/deprecated-node-mapping.json +200 -0
  3. data/lib/data/1.10.1/mappings/cvss_v3/cvss_v3.json +1074 -0
  4. data/lib/data/1.10.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.10.1/mappings/cwe/cwe.json +477 -0
  6. data/lib/data/1.10.1/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.10.1/mappings/remediation_advice/remediation_advice.json +1543 -0
  8. data/lib/data/1.10.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.10.1/third-party-mappings/remediation_training/secure-code-warrior-links.json +348 -0
  10. data/lib/data/1.10.1/vrt.schema.json +63 -0
  11. data/lib/data/1.10.1/vulnerability-rating-taxonomy.json +2171 -0
  12. data/lib/data/1.10/deprecated-node-mapping.json +200 -0
  13. data/lib/data/1.10/mappings/cvss_v3/cvss_v3.json +1074 -0
  14. data/lib/data/1.10/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.10/mappings/cwe/cwe.json +477 -0
  16. data/lib/data/1.10/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.10/mappings/remediation_advice/remediation_advice.json +1543 -0
  18. data/lib/data/1.10/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.10/third-party-mappings/remediation_training/secure-code-warriors-links.json +348 -0
  20. data/lib/data/1.10/vrt.schema.json +63 -0
  21. data/lib/data/1.10/vulnerability-rating-taxonomy.json +2171 -0
  22. data/lib/data/1.7.1/deprecated-node-mapping.json +149 -0
  23. data/lib/data/1.7.1/mappings/cvss_v3/cvss_v3.json +928 -0
  24. data/lib/data/1.7.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  25. data/lib/data/1.7.1/mappings/cwe/cwe.json +441 -0
  26. data/lib/data/1.7.1/mappings/cwe/cwe.schema.json +63 -0
  27. data/lib/data/1.7.1/mappings/remediation_advice/remediation_advice.json +1354 -0
  28. data/lib/data/1.7.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  29. data/lib/data/1.7.1/vrt.schema.json +63 -0
  30. data/lib/data/1.7.1/vulnerability-rating-taxonomy.json +1937 -0
  31. data/lib/data/1.7/deprecated-node-mapping.json +149 -0
  32. data/lib/data/1.7/mappings/cvss_v3/cvss_v3.json +861 -0
  33. data/lib/data/1.7/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  34. data/lib/data/1.7/mappings/cwe/cwe.json +441 -0
  35. data/lib/data/1.7/mappings/cwe/cwe.schema.json +63 -0
  36. data/lib/data/1.7/mappings/remediation_advice/remediation_advice.json +1230 -0
  37. data/lib/data/1.7/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  38. data/lib/data/1.7/vrt.schema.json +63 -0
  39. data/lib/data/1.7/vulnerability-rating-taxonomy.json +1937 -0
  40. data/lib/data/1.8/deprecated-node-mapping.json +149 -0
  41. data/lib/data/1.8/mappings/cvss_v3/cvss_v3.json +935 -0
  42. data/lib/data/1.8/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  43. data/lib/data/1.8/mappings/cwe/cwe.json +453 -0
  44. data/lib/data/1.8/mappings/cwe/cwe.schema.json +63 -0
  45. data/lib/data/1.8/mappings/remediation_advice/remediation_advice.json +1381 -0
  46. data/lib/data/1.8/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  47. data/lib/data/1.8/vrt.schema.json +63 -0
  48. data/lib/data/1.8/vulnerability-rating-taxonomy.json +1948 -0
  49. data/lib/data/1.9/deprecated-node-mapping.json +158 -0
  50. data/lib/data/1.9/mappings/cvss_v3/cvss_v3.json +1002 -0
  51. data/lib/data/1.9/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  52. data/lib/data/1.9/mappings/cwe/cwe.json +457 -0
  53. data/lib/data/1.9/mappings/cwe/cwe.schema.json +63 -0
  54. data/lib/data/1.9/mappings/remediation_advice/remediation_advice.json +1409 -0
  55. data/lib/data/1.9/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  56. data/lib/data/1.9/vrt.schema.json +63 -0
  57. data/lib/data/1.9/vulnerability-rating-taxonomy.json +2053 -0
  58. data/lib/generators/vrt/install_generator.rb +1 -1
  59. data/lib/vrt.rb +2 -0
  60. data/lib/vrt/cross_version_mapping.rb +3 -2
  61. data/lib/vrt/errors.rb +5 -0
  62. data/lib/vrt/map.rb +8 -5
  63. data/lib/vrt/mapping.rb +12 -1
  64. data/lib/vrt/version.rb +1 -1
  65. metadata +92 -32
@@ -0,0 +1,158 @@
1
+ {
2
+ "poor_physical_security": {
3
+ "1.1": "other"
4
+ },
5
+ "social_engineering": {
6
+ "1.1": "other"
7
+ },
8
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
9
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
10
+ },
11
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
12
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
13
+ },
14
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated": {
15
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
16
+ },
17
+ "broken_authentication_and_session_management.session_token_in_url.over_https": {
18
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
19
+ },
20
+ "broken_authentication_and_session_management.session_token_in_url.over_http": {
21
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
22
+ },
23
+ "broken_authentication_and_session_management.session_token_in_url": {
24
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
25
+ },
26
+ "insecure_data_transport": {
27
+ "1.2": "mobile_security_misconfiguration"
28
+ },
29
+ "insecure_data_transport.ssl_certificate_pinning": {
30
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning"
31
+ },
32
+ "insecure_data_transport.ssl_certificate_pinning.absent": {
33
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.absent"
34
+ },
35
+ "insecure_data_transport.ssl_certificate_pinning.defeatable": {
36
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.defeatable"
37
+ },
38
+ "insecure_data_storage.credentials_stored_unencrypted": {
39
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted"
40
+ },
41
+ "insecure_data_storage.credentials_stored_unencrypted.on_external_storage": {
42
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_external_storage"
43
+ },
44
+ "insecure_data_storage.credentials_stored_unencrypted.on_internal_storage": {
45
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_internal_storage"
46
+ },
47
+ "insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced": {
48
+ "1.2": "insufficient_security_configurability.no_password_policy"
49
+ },
50
+ "missing_function_level_access_control": {
51
+ "1.3": "broken_access_control"
52
+ },
53
+ "missing_function_level_access_control.server_side_request_forgery_ssrf": {
54
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf"
55
+ },
56
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.internal": {
57
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.internal"
58
+ },
59
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.external": {
60
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.external"
61
+ },
62
+ "missing_function_level_access_control.username_enumeration": {
63
+ "1.3": "broken_access_control.username_enumeration"
64
+ },
65
+ "missing_function_level_access_control.username_enumeration.data_leak": {
66
+ "1.3": "broken_access_control.username_enumeration.data_leak"
67
+ },
68
+ "missing_function_level_access_control.exposed_sensitive_android_intent": {
69
+ "1.3": "broken_access_control.exposed_sensitive_android_intent"
70
+ },
71
+ "missing_function_level_access_control.exposed_sensitive_ios_url_scheme": {
72
+ "1.3": "broken_access_control.exposed_sensitive_ios_url_scheme"
73
+ },
74
+ "insecure_direct_object_references_idor": {
75
+ "1.3": "broken_access_control.idor"
76
+ },
77
+ "broken_authentication_and_session_management.weak_login_function.over_http": {
78
+ "1.4": "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default"
79
+ },
80
+ "cross_site_scripting_xss.ie_only.older_version_ie_10_11": {
81
+ "1.4": "cross_site_scripting_xss.ie_only.ie11"
82
+ },
83
+ "cross_site_scripting_xss.ie_only.older_version_ie10": {
84
+ "1.4": "cross_site_scripting_xss.ie_only.older_version_ie11"
85
+ },
86
+ "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_reset": {
87
+ "1.4": "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change"
88
+ },
89
+ "network_security_misconfiguration.telnet_enabled.credentials_required": {
90
+ "1.4": "broken_authentication_and_session_management.weak_login_function.other_plaintext_protocol_no_secure_alternative"
91
+ },
92
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_email_domain": {
93
+ "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
94
+ },
95
+ "server_security_misconfiguration.mail_server_misconfiguration.email_spoofable_via_third_party_api_misconfiguration": {
96
+ "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
97
+ },
98
+ "cross_site_scripting_xss.stored.admin_to_anyone": {
99
+ "1.5": "cross_site_scripting_xss.stored.privileged_user_to_privilege_elevation"
100
+ },
101
+ "server_security_misconfiguration.misconfigured_dns.subdomain_takeover": {
102
+ "1.5": "server_security_misconfiguration.misconfigured_dns.basic_subdomain_takeover"
103
+ },
104
+ "server_security_misconfiguration.captcha_bypass": {
105
+ "1.5": "server_security_misconfiguration.captcha"
106
+ },
107
+ "server_security_misconfiguration.captcha_bypass.implementation_vulnerability": {
108
+ "1.5": "server_security_misconfiguration.captcha.implementation_vulnerability"
109
+ },
110
+ "server_security_misconfiguration.captcha_bypass.brute_force": {
111
+ "1.5": "server_security_misconfiguration.captcha.brute_force"
112
+ },
113
+ "broken_access_control.server_side_request_forgery_ssrf.internal": {
114
+ "1.6": "broken_access_control.server_side_request_forgery_ssrf.internal_high_impact"
115
+ },
116
+ "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain": {
117
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain"
118
+ },
119
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_non_email_domain": {
120
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
121
+ },
122
+ "server_security_misconfiguration.mail_server_misconfiguration.spf_uses_a_soft_fail": {
123
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
124
+ },
125
+ "server_security_misconfiguration.mail_server_misconfiguration.spf_includes_10_lookups": {
126
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
127
+ },
128
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc": {
129
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain"
130
+ },
131
+ "broken_access_control.username_enumeration.data_leak": {
132
+ "1.7": "broken_access_control.username_enumeration.non_brute_force"
133
+ },
134
+ "insufficient_security_configurability.weak_2fa_implementation": {
135
+ "1.7": "insufficient_security_configurability.weak_two_fa_implementation"
136
+ },
137
+ "sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party": {
138
+ "1.7": "sensitive_data_exposure.token_leakage_via_referer.trusted_third_party"
139
+ },
140
+ "sensitive_data_exposure.token_leakage_via_referer.untrusted_3rd_party": {
141
+ "1.7": "sensitive_data_exposure.token_leakage_via_referer.untrusted_third_party"
142
+ },
143
+ "cross_site_scripting_xss.ie_only.ie11": {
144
+ "1.7": "cross_site_scripting_xss.ie_only.ie_eleven"
145
+ },
146
+ "cross_site_scripting_xss.ie_only.older_version_ie11": {
147
+ "1.7": "cross_site_scripting_xss.ie_only.older_version_ie_eleven"
148
+ },
149
+ "sensitive_data_exposure.critically_sensitive_data.password_disclosure": {
150
+ "1.9": "sensitive_data_exposure.disclosure_of_secrets"
151
+ },
152
+ "sensitive_data_exposure.critically_sensitive_data.private_api_keys": {
153
+ "1.9": "sensitive_data_exposure.disclosure_of_secrets"
154
+ },
155
+ "sensitive_data_exposure.critically_sensitive_data": {
156
+ "1.9": "sensitive_data_exposure"
157
+ }
158
+ }
@@ -0,0 +1,1002 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "children": [
9
+ {
10
+ "id": "unsafe_cross_origin_resource_sharing",
11
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
12
+ },
13
+ {
14
+ "id": "path_traversal",
15
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
16
+ },
17
+ {
18
+ "id": "directory_listing_enabled",
19
+ "children": [
20
+ {
21
+ "id": "sensitive_data_exposure",
22
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
23
+ },
24
+ {
25
+ "id": "non_sensitive_data_exposure",
26
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
27
+ }
28
+ ]
29
+ },
30
+ {
31
+ "id": "same_site_scripting",
32
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
33
+ },
34
+ {
35
+ "id": "ssl_attack_breach_poodle_etc",
36
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
37
+ },
38
+ {
39
+ "id": "using_default_credentials",
40
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
41
+ },
42
+ {
43
+ "id": "misconfigured_dns",
44
+ "children": [
45
+ {
46
+ "id": "basic_subdomain_takeover",
47
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
48
+ },
49
+ {
50
+ "id": "high_impact_subdomain_takeover",
51
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
52
+ },
53
+ {
54
+ "id": "zone_transfer",
55
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
56
+ },
57
+ {
58
+ "id": "missing_caa_record",
59
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
60
+ }
61
+ ]
62
+ },
63
+ {
64
+ "id": "mail_server_misconfiguration",
65
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
66
+ "children": [
67
+ {
68
+ "id": "no_spoofing_protection_on_email_domain",
69
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
70
+ },
71
+ {
72
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
73
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
74
+ }
75
+ ]
76
+ },
77
+ {
78
+ "id": "dbms_misconfiguration",
79
+ "children": [
80
+ {
81
+ "id": "excessively_privileged_user_dba",
82
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
83
+ }
84
+ ]
85
+ },
86
+ {
87
+ "id": "lack_of_password_confirmation",
88
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
89
+ "children": [
90
+ {
91
+ "id": "manage_two_fa",
92
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
93
+ }
94
+ ]
95
+ },
96
+ {
97
+ "id": "no_rate_limiting_on_form",
98
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
99
+ "children": [
100
+ {
101
+ "id": "login",
102
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
103
+ },
104
+ {
105
+ "id": "change_password",
106
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
107
+ }
108
+ ]
109
+ },
110
+ {
111
+ "id": "unsafe_file_upload",
112
+ "children": [
113
+ {
114
+ "id": "no_antivirus",
115
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
116
+ },
117
+ {
118
+ "id": "no_size_limit",
119
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
120
+ },
121
+ {
122
+ "id": "file_extension_filter_bypass",
123
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
124
+ }
125
+ ]
126
+ },
127
+ {
128
+ "id": "cookie_scoped_to_parent_domain",
129
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
130
+ },
131
+ {
132
+ "id": "missing_secure_or_httponly_cookie_flag",
133
+ "children": [
134
+ {
135
+ "id": "session_token",
136
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
137
+ },
138
+ {
139
+ "id": "non_session_cookie",
140
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
141
+ }
142
+ ]
143
+ },
144
+ {
145
+ "id": "clickjacking",
146
+ "children": [
147
+ {
148
+ "id": "sensitive_action",
149
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
150
+ },
151
+ {
152
+ "id": "form_input",
153
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
154
+ },
155
+ {
156
+ "id": "non_sensitive_action",
157
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
158
+ }
159
+ ]
160
+ },
161
+ {
162
+ "id": "oauth_misconfiguration",
163
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
164
+ "children": [
165
+ {
166
+ "id": "account_takeover",
167
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
168
+ }
169
+ ]
170
+ },
171
+ {
172
+ "id": "captcha",
173
+ "children": [
174
+ {
175
+ "id": "implementation_vulnerability",
176
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
177
+ },
178
+ {
179
+ "id": "brute_force",
180
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
181
+ },
182
+ {
183
+ "id": "missing",
184
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
185
+ }
186
+ ]
187
+ },
188
+ {
189
+ "id": "exposed_admin_portal",
190
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
191
+ },
192
+ {
193
+ "id": "missing_dnssec",
194
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
195
+ },
196
+ {
197
+ "id": "fingerprinting_banner_disclosure",
198
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
199
+ },
200
+ {
201
+ "id": "username_enumeration",
202
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
203
+ },
204
+ {
205
+ "id": "potentially_unsafe_http_method_enabled",
206
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
207
+ },
208
+ {
209
+ "id": "insecure_ssl",
210
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
211
+ },
212
+ {
213
+ "id": "rfd",
214
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
215
+ },
216
+ {
217
+ "id": "lack_of_security_headers",
218
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
219
+ "children": [
220
+ {
221
+ "id": "cache_control_for_a_sensitive_page",
222
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
223
+ }
224
+ ]
225
+ },
226
+ {
227
+ "id": "waf_bypass",
228
+ "children": [
229
+ {
230
+ "id": "direct_server_access",
231
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
232
+ }
233
+ ]
234
+ },
235
+ {
236
+ "id": "race_condition",
237
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
238
+ },
239
+ {
240
+ "id": "cache_poisoning",
241
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
242
+ },
243
+ {
244
+ "id": "bitsquatting",
245
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
246
+ }
247
+ ]
248
+ },
249
+ {
250
+ "id": "server_side_injection",
251
+ "children": [
252
+ {
253
+ "id": "file_inclusion",
254
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
255
+ },
256
+ {
257
+ "id": "parameter_pollution",
258
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
259
+ },
260
+ {
261
+ "id": "remote_code_execution_rce",
262
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
263
+ },
264
+ {
265
+ "id": "sql_injection",
266
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
267
+ },
268
+ {
269
+ "id": "xml_external_entity_injection_xxe",
270
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
271
+ },
272
+ {
273
+ "id": "http_response_manipulation",
274
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
275
+ },
276
+ {
277
+ "id": "content_spoofing",
278
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
279
+ "children": [
280
+ {
281
+ "id": "iframe_injection",
282
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
283
+ },
284
+ {
285
+ "id": "impersonation_via_broken_link_hijacking",
286
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
287
+ },
288
+ {
289
+ "id": "external_authentication_injection",
290
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
291
+ },
292
+ {
293
+ "id": "flash_based_external_authentication_injection",
294
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
295
+ },
296
+ {
297
+ "id": "email_html_injection",
298
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
299
+ }
300
+ ]
301
+ },
302
+ {
303
+ "id": "ssti",
304
+ "children": [
305
+ {
306
+ "id": "basic",
307
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
308
+ },
309
+ {
310
+ "id": "custom",
311
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
312
+ }
313
+ ]
314
+ }
315
+ ]
316
+ },
317
+ {
318
+ "id": "broken_authentication_and_session_management",
319
+ "children": [
320
+ {
321
+ "id": "authentication_bypass",
322
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
323
+ },
324
+ {
325
+ "id": "two_fa_bypass",
326
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
327
+ },
328
+ {
329
+ "id": "privilege_escalation",
330
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
331
+ },
332
+ {
333
+ "id": "cleartext_transmission_of_session_token",
334
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
335
+ },
336
+ {
337
+ "id": "weak_login_function",
338
+ "children": [
339
+ {
340
+ "id": "not_operational",
341
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
342
+ },
343
+ {
344
+ "id": "other_plaintext_protocol_no_secure_alternative",
345
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
346
+ },
347
+ {
348
+ "id": "lan_only",
349
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
350
+ },
351
+ {
352
+ "id": "http_and_https_available",
353
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
354
+ },
355
+ {
356
+ "id": "https_not_available_or_http_by_default",
357
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
358
+ }
359
+ ]
360
+ },
361
+ {
362
+ "id": "session_fixation",
363
+ "children": [
364
+ {
365
+ "id": "remote_attack_vector",
366
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
367
+ },
368
+ {
369
+ "id": "local_attack_vector",
370
+ "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
371
+ }
372
+ ]
373
+ },
374
+ {
375
+ "id": "failure_to_invalidate_session",
376
+ "children": [
377
+ {
378
+ "id": "on_logout",
379
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
380
+ },
381
+ {
382
+ "id": "on_logout_server_side_only",
383
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
384
+ },
385
+ {
386
+ "id": "on_password_change",
387
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
388
+ },
389
+ {
390
+ "id": "all_sessions",
391
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
392
+ },
393
+ {
394
+ "id": "on_email_change",
395
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
396
+ },
397
+ {
398
+ "id": "on_two_fa_activation_change",
399
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
400
+ },
401
+ {
402
+ "id": "long_timeout",
403
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
404
+ }
405
+ ]
406
+ },
407
+ {
408
+ "id": "concurrent_logins",
409
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
410
+ },
411
+ {
412
+ "id": "weak_registration_implementation",
413
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
414
+ }
415
+ ]
416
+ },
417
+ {
418
+ "id": "sensitive_data_exposure",
419
+ "children": [
420
+ {
421
+ "id": "disclosure_of_secrets",
422
+ "children": [
423
+ {
424
+ "id": "for_publicly_accessible_asset",
425
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
426
+ },
427
+ {
428
+ "id": "for_internal_asset",
429
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
430
+ },
431
+ {
432
+ "id": "pay_per_use_abuse",
433
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
434
+ },
435
+ {
436
+ "id": "intentionally_public_sample_or_invalid",
437
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
438
+ },
439
+ {
440
+ "id": "data_traffic_spam",
441
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
442
+ },
443
+ {
444
+ "id": "non_corporate_user",
445
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
446
+ }
447
+ ]
448
+ },
449
+ {
450
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
451
+ "children": [
452
+ {
453
+ "id": "automatic_user_enumeration",
454
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
455
+ },
456
+ {
457
+ "id": "manual_user_enumeration",
458
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
459
+ }
460
+ ]
461
+ },
462
+ {
463
+ "id": "visible_detailed_error_page",
464
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
465
+ "children": [
466
+ {
467
+ "id": "detailed_server_configuration",
468
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
469
+ }
470
+ ]
471
+ },
472
+ {
473
+ "id": "disclosure_of_known_public_information",
474
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
475
+ },
476
+ {
477
+ "id": "token_leakage_via_referer",
478
+ "children": [
479
+ {
480
+ "id": "trusted_third_party",
481
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
482
+ },
483
+ {
484
+ "id": "untrusted_third_party",
485
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
486
+ },
487
+ {
488
+ "id": "over_http",
489
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
490
+ }
491
+ ]
492
+ },
493
+ {
494
+ "id": "sensitive_token_in_url",
495
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
496
+ },
497
+ {
498
+ "id": "non_sensitive_token_in_url",
499
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
500
+ },
501
+ {
502
+ "id": "weak_password_reset_implementation",
503
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
504
+ "children": [
505
+ {
506
+ "id": "token_leakage_via_host_header_poisoning",
507
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
508
+ }
509
+ ]
510
+ },
511
+ {
512
+ "id": "mixed_content",
513
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
514
+ },
515
+ {
516
+ "id": "sensitive_data_hardcoded",
517
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
518
+ },
519
+ {
520
+ "id": "internal_ip_disclosure",
521
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
522
+ },
523
+ {
524
+ "id": "xssi",
525
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
526
+ },
527
+ {
528
+ "id": "json_hijacking",
529
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
530
+ },
531
+ {
532
+ "id": "via_localstorage_sessionstorage",
533
+ "children": [
534
+ {
535
+ "id": "sensitive_token",
536
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
537
+ },
538
+ {
539
+ "id": "non_sensitive_token",
540
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
541
+ }
542
+ ]
543
+ }
544
+ ]
545
+ },
546
+ {
547
+ "id": "cross_site_scripting_xss",
548
+ "children": [
549
+ {
550
+ "id": "stored",
551
+ "children": [
552
+ {
553
+ "id": "non_admin_to_anyone",
554
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
555
+ },
556
+ {
557
+ "id": "privileged_user_to_privilege_elevation",
558
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
559
+ },
560
+ {
561
+ "id": "privileged_user_to_no_privilege_elevation",
562
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
563
+ },
564
+ {
565
+ "id": "url_based",
566
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
567
+ },
568
+ {
569
+ "id": "self",
570
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
571
+ }
572
+ ]
573
+ },
574
+ {
575
+ "id": "reflected",
576
+ "children": [
577
+ {
578
+ "id": "non_self",
579
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
580
+ },
581
+ {
582
+ "id": "self",
583
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
584
+ }
585
+ ]
586
+ },
587
+ {
588
+ "id": "flash_based",
589
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
590
+ },
591
+ {
592
+ "id": "cookie_based",
593
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
594
+ },
595
+ {
596
+ "id": "ie_only",
597
+ "children": [
598
+ {
599
+ "id": "ie_eleven",
600
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
601
+ },
602
+ {
603
+ "id": "xss_filter_disabled",
604
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
605
+ },
606
+ {
607
+ "id": "older_version_ie_eleven",
608
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
609
+ }
610
+ ]
611
+ },
612
+ {
613
+ "id": "referer",
614
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
615
+ },
616
+ {
617
+ "id": "trace_method",
618
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
619
+ },
620
+ {
621
+ "id": "universal_uxss",
622
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
623
+ },
624
+ {
625
+ "id": "off_domain",
626
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
627
+ }
628
+ ]
629
+ },
630
+ {
631
+ "id": "broken_access_control",
632
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
633
+ "children": [
634
+ {
635
+ "id": "server_side_request_forgery_ssrf",
636
+ "children": [
637
+ {
638
+ "id": "internal_high_impact",
639
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
640
+ },
641
+ {
642
+ "id": "internal_scan_and_or_medium_impact",
643
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
644
+ },
645
+ {
646
+ "id": "external",
647
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
648
+ }
649
+ ]
650
+ },
651
+ {
652
+ "id": "username_enumeration",
653
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
654
+ }
655
+ ]
656
+ },
657
+ {
658
+ "id": "cross_site_request_forgery_csrf",
659
+ "children": [
660
+ {
661
+ "id": "application_wide",
662
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
663
+ },
664
+ {
665
+ "id": "action_specific",
666
+ "children": [
667
+ {
668
+ "id": "authenticated_action",
669
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
670
+ },
671
+ {
672
+ "id": "unauthenticated_action",
673
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
674
+ },
675
+ {
676
+ "id": "logout",
677
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
678
+ }
679
+ ]
680
+ },
681
+ {
682
+ "id": "csrf_token_not_unique_per_request",
683
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
684
+ },
685
+ {
686
+ "id": "flash_based",
687
+ "children": [
688
+ {
689
+ "id": "high_impact",
690
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N"
691
+ },
692
+ {
693
+ "id": "low_impact",
694
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
695
+ }
696
+ ]
697
+ }
698
+ ]
699
+ },
700
+ {
701
+ "id": "application_level_denial_of_service_dos",
702
+ "children": [
703
+ {
704
+ "id": "critical_impact_and_or_easy_difficulty",
705
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
706
+ },
707
+ {
708
+ "id": "high_impact_and_or_medium_difficulty",
709
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
710
+ },
711
+ {
712
+ "id": "app_crash",
713
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
714
+ }
715
+ ]
716
+ },
717
+ {
718
+ "id": "unvalidated_redirects_and_forwards",
719
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
720
+ "children": [
721
+ {
722
+ "id": "open_redirect",
723
+ "children": [
724
+ {
725
+ "id": "get_based",
726
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
727
+ }
728
+ ]
729
+ }
730
+ ]
731
+ },
732
+ {
733
+ "id": "external_behavior",
734
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
735
+ },
736
+ {
737
+ "id": "insufficient_security_configurability",
738
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
739
+ "children": [
740
+ {
741
+ "id": "no_password_policy",
742
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
743
+ },
744
+ {
745
+ "id": "weak_password_reset_implementation",
746
+ "children": [
747
+ {
748
+ "id": "token_is_not_invalidated_after_use",
749
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
750
+ }
751
+ ]
752
+ },
753
+ {
754
+ "id": "weak_two_fa_implementation",
755
+ "children": [
756
+ {
757
+ "id": "two_fa_secret_cannot_be_rotated",
758
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
759
+ },
760
+ {
761
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
762
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
763
+ }
764
+ ]
765
+ }
766
+ ]
767
+ },
768
+ {
769
+ "id": "using_components_with_known_vulnerabilities",
770
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
771
+ "children": [
772
+ {
773
+ "id": "rosetta_flash",
774
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
775
+ }
776
+ ]
777
+ },
778
+ {
779
+ "id": "insecure_data_storage",
780
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
781
+ "children": [
782
+ {
783
+ "id": "sensitive_application_data_stored_unencrypted",
784
+ "children": [
785
+ {
786
+ "id": "on_external_storage",
787
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
788
+ }
789
+ ]
790
+ },
791
+ {
792
+ "id": "server_side_credentials_storage",
793
+ "children": [
794
+ {
795
+ "id": "plaintext",
796
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
797
+ }
798
+ ]
799
+ }
800
+ ]
801
+ },
802
+ {
803
+ "id": "lack_of_binary_hardening",
804
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
805
+ },
806
+ {
807
+ "id": "insecure_data_transport",
808
+ "children": [
809
+ {
810
+ "id": "cleartext_transmission_of_sensitive_data",
811
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
812
+ },
813
+ {
814
+ "id": "executable_download",
815
+ "children": [
816
+ {
817
+ "id": "no_secure_integrity_check",
818
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
819
+ },
820
+ {
821
+ "id": "secure_integrity_check",
822
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
823
+ }
824
+ ]
825
+ }
826
+ ]
827
+ },
828
+ {
829
+ "id": "insecure_os_firmware",
830
+ "children": [
831
+ {
832
+ "id": "command_injection",
833
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
834
+ },
835
+ {
836
+ "id": "hardcoded_password",
837
+ "children": [
838
+ {
839
+ "id": "privileged_user",
840
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
841
+ },
842
+ {
843
+ "id": "non_privileged_user",
844
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
845
+ }
846
+ ]
847
+ }
848
+ ]
849
+ },
850
+ {
851
+ "id": "broken_cryptography",
852
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
853
+ },
854
+ {
855
+ "id": "privacy_concerns",
856
+ "children": [
857
+ {
858
+ "id": "unnecessary_data_collection",
859
+ "children": [
860
+ {
861
+ "id": "wifi_ssid_password",
862
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
863
+ }
864
+ ]
865
+ }
866
+ ]
867
+ },
868
+ {
869
+ "id": "network_security_misconfiguration",
870
+ "children": [
871
+ {
872
+ "id": "telnet_enabled",
873
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
874
+ }
875
+ ]
876
+ },
877
+ {
878
+ "id": "mobile_security_misconfiguration",
879
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
880
+ "children": [
881
+ {
882
+ "id": "clipboard_enabled",
883
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
884
+ },
885
+ {
886
+ "id": "auto_backup_allowed_by_default",
887
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
888
+ }
889
+ ]
890
+ },
891
+ {
892
+ "id": "client_side_injection",
893
+ "children": [
894
+ {
895
+ "id": "binary_planting",
896
+ "children": [
897
+ {
898
+ "id": "privilege_escalation",
899
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
900
+ },
901
+ {
902
+ "id": "non_default_folder_privilege_escalation",
903
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
904
+ },
905
+ {
906
+ "id": "no_privilege_escalation",
907
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
908
+ }
909
+ ]
910
+ }
911
+ ]
912
+ },
913
+ {
914
+ "id": "automotive_security_misconfiguration",
915
+ "children": [
916
+ {
917
+ "id": "infotainment",
918
+ "children": [
919
+ {
920
+ "id": "pii_leakage",
921
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
922
+ },
923
+ {
924
+ "id": "code_execution_can_bus_pivot",
925
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
926
+ },
927
+ {
928
+ "id": "code_execution_no_can_bus_pivot",
929
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
930
+ },
931
+ {
932
+ "id": "unauthorized_access_to_services",
933
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
934
+ },
935
+ {
936
+ "id": "source_code_dump",
937
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
938
+ },
939
+ {
940
+ "id": "dos_brick",
941
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
942
+ },
943
+ {
944
+ "id": "default_credentials",
945
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
946
+ }
947
+ ]
948
+ },
949
+ {
950
+ "id": "rf_hub",
951
+ "children": [
952
+ {
953
+ "id": "key_fob_cloning",
954
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
955
+ },
956
+ {
957
+ "id": "can_injection_interaction",
958
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
959
+ },
960
+ {
961
+ "id": "data_leakage_pull_encryption_mechanism",
962
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
963
+ },
964
+ {
965
+ "id": "unauthorized_access_turn_on",
966
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
967
+ },
968
+ {
969
+ "id": "roll_jam",
970
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
971
+ },
972
+ {
973
+ "id": "replay",
974
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
975
+ },
976
+ {
977
+ "id": "relay",
978
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
979
+ }
980
+ ]
981
+ },
982
+ {
983
+ "id": "can",
984
+ "children": [
985
+ {
986
+ "id": "injection_disallowed_messages",
987
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
988
+ },
989
+ {
990
+ "id": "injection_dos",
991
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
992
+ }
993
+ ]
994
+ }
995
+ ]
996
+ },
997
+ {
998
+ "id": "indicators_of_compromise",
999
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
1000
+ }
1001
+ ]
1002
+ }