Also available in PDF format (707KiB).
Document Version: 1.0
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of four metric groups: Base, Threat, Environmental, and Supplemental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Threat group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. Base metric values are combined with default values that assume the highest severity for Threat and Environmental metrics to produce a score ranging from 0 to 10. To further refine a resulting severity score, Threat and Environmental metrics can then be amended based on applicable threat intelligence and environmental considerations. Supplemental metrics do not modify the final score, and are used as additional insight into the characteristics of a vulnerability. A CVSS vector string consists of a compressed textual representation of the values used to derive the score. This document provides the official specification for CVSS version 4.0.
CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. FIRST reserves the right to update CVSS and this document periodically at its sole discretion. While FIRST owns all right and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that any individual or entity which publishes scores conforms to the guidelines described in this document and provides both the score and the scoring vector so others can understand how the score was derived.
Contents
Below are useful references to additional CVSS v4.0 documents.
Resource | Location |
---|---|
Specification Document | Includes metric descriptions, formulas, and vector strings. Available at https://www.first.org/cvss/v4.0/specification-document |
User Guide | Includes further discussion of CVSS v4.0, a scoring rubric, and a glossary. Available at https://www.first.org/cvss/v4.0/user-guide |
Examples Document | Includes examples of CVSS v4.0 scoring in practice. Available at https://www.first.org/cvss/v4.0/examples |
CVSS v4.0 Calculator | Reference implementation of the CVSS v4.0 equations, available at https://www.first.org/cvss/calculator/4.0 |
JSON & XML Data Representations | Schema definition available at https://www.first.org/cvss/data-representations |
CVSS v4.0 Main Page | Main page for all other CVSS resources: https://www.first.org/cvss/v4-0/ |
This document demonstrates how to apply the CVSS version 4.0 standard to assess specific vulnerabilities. Every vulnerability example includes a summary and a breakdown of the assessment. CVSS version 3.0 scores are provided to show differences between the two standards.
Details of the vulnerabilities and attacks were sourced primarily from the National Vulnerability Database (NVD) at https://nvd.nist.gov/vuln/search. Information from additional sources was also used when more details were required.
Common Vulnerability Scoring System version 4.0 Examples
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of four metric groups: Base, Threat, Environmental, and Supplemental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Threat group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. Base metric values are combined with default values that assume the highest severity for Threat and Environmental metrics to produce a score ranging from 0 to 10. To further refine a resulting severity score, Threat and Environmental metrics can then be amended based on applicable threat intelligence and environmental considerations. Supplemental metrics do not modify the final score, and are used as additional insight into the characteristics of a vulnerability. A CVSS vector string consists of a compressed textual representation of the values used to derive the score. This document provides the official specification for CVSS version 4.0.
The most current CVSS resources can be found at https://www.first.org/cvss/
CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. FIRST reserves the right to update CVSS and this document periodically at its sole discretion. While FIRST owns all rights and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that any individual or entity which publishes scores conforms to the guidelines described in this document and provides both the score and the scoring vector so others can understand how the score was derived.
This section includes scoring examples that illustrate aspects of changed or modified metrics.
A vulnerability in the module ngx_http_mp4_module might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
v3.1 | v4.0 Base |
---|---|
7.0 | 7.3 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 7.3
Metric | Value | Comments |
---|---|---|
Attack Vector | Local | An attacker must be able to access the vulnerable system with a local, interactive session. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | Present | NGINX must be built with the module, and configuration must be present. Neither of those are default scenarios for an NGINX OSS web server. The attacker must place a file within the web root and cause NGINX to serve that file. |
Privileges Required | Low | An attacker must be able to place a file within the web root to be processed by NGINX. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | The attacker could execute arbitrary code on the vulnerable system with elevated privileges. |
Vulnerable System Integrity | High | The attacker could execute arbitrary code on the vulnerable system with elevated privileges. |
Vulnerable System Availability | High | The attacker could execute arbitrary code on the vulnerable system with elevated privileges. |
Subsequent System Confidentiality | None | There is no impact to the subsequent system confidentiality. |
Subsequent System Integrity | None | There is no impact to the subsequent system integrity. |
Subsequent System Availability | None | There is no impact to the subsequent system availability. |
A vulnerability in the sftunnel functionality of Cisco Firepower Management Center (FMC) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to obtain the device registration hash.
The vulnerability is due to insufficient sftunnel negotiation protection during initial device registration. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a specific flow of the sftunnel communication between an FMC device and an FTD device. A successful exploit could allow the attacker to decrypt and modify the sftunnel communication between FMC and FTD devices, allowing the attacker to modify configuration data sent from an FMC device to an FTD device or alert data sent from an FTD device to an FMC device.
v3.1 | v4.0 | |
---|---|---|
Base | 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Base + Threat | 5.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
CVSS v4 Score: Base + Threat 5.2
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | Present | An attacker must be on-path to be able to intercept communications between affected systems. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | Passive | A user must be logged in and using the application for traffic to be generated that an attacker could capture. |
Vulnerable System Confidentiality | High | An attacker could gain access to the system with a highly privileged user account. |
Vulnerable System Integrity | High | An attacker could gain access to the system with a highly privileged user account. |
Vulnerable System Availability | High | An attacker could gain access to the system with a highly privileged user account. |
Subsequent System Confidentiality | None | There is no impact to the vulnerable system confidentiality. |
Subsequent System Integrity | None | There is no impact to the vulnerable system integrity. |
Subsequent System Availability | None | There is no impact to the vulnerable system availability. |
Exploit Maturity | Unreported | There is no known proof-of-concept code or malicious exploitation of this vulnerability. |
Description: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
v3.1 | v4.0 | |
---|---|---|
Base | 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N |
Base + Environmental | 8.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/CR:H/IR:L/AR:L/MAV:N/MAC:H/MVC:H/MVI:L/MVA:L |
CVSS v4 Score: Base + Environmental 8.1
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | There is no inherent vulnerability, but a lower level of cryptography than expected was being used, resulting in a lower-than-configured certificate security. |
Attack Requirements | Present | Attack requirements are present. Only applications built with a specific configuration are vulnerable. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | This CVE particularly affects high-security systems (FIPS users) and lowers the requirements to access confidential information. |
Vulnerable System Integrity | Low | Integrity will be at a lower cryptographic level than desired, but is still always encrypted. |
Vulnerable System Availability | Low | Integrity will be at a lower cryptographic level than desired, but is still always encrypted. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Modified Attack Vector | Network | This still requires spoofing a cryptographically secure certificate, just not always an FIPS-approved algorithm. |
Modified Attack Complexity | High | This still requires spoofing a cryptographically secure certificate, just not always an FIPS-approved algorithm. |
Modified Vulnerable System Confidentiality | High | This still requires spoofing a cryptographically secure certificate, just not always an FIPS-approved algorithm. |
Modified Vulnerable System Integrity | Low | Integrity will be at a lower cryptographic level than desired, but is still always encrypted. |
Modified Vulnerable System Availability | Low | Integrity will be at a lower cryptographic level than desired, but is still always encrypted. |
Confidentiality Requirements | High | System certificates are still encrypted correctly, but at a weaker level than expected, resulting in a hard-to-abuse system, but easier than intended/designed for the system. |
Integrity Requirements | Low | There is a low chance of integrity being modified, but higher than expected behavior. |
Availability Requirements | Low | There is a low chance of availability being affected, but higher than expected behavior. |
Analysts assessing User Interaction should consider the necessary actions taken by a user. As per the specification document, operations normally taken by a user would be User Interaction:Passive. Actions that are out of the ordinary, against recommended guidance, or subverting security controls, would be User Interaction:Active.
Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a Violation of Secure Design Principles that could lead to a Security feature bypass. Acrobat Reader DC displays a warning message when a user clicks on a PDF file, which could be used by an attacker to mislead the user. In affected versions, this warning message does not include custom protocols when used by the sender. User interaction is required to abuse this vulnerability as they would need to click 'allow' on the warning message of a malicious file.
v3.1 | v4.0 Base |
---|---|
3.3 | 4.6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 4.6
Metric | Value | Comments |
---|---|---|
Attack Vector | Local | The document must be present on the local disk. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | Active | User interaction is required to abuse this vulnerability because they would need to click allow on the warning message of a malicious file. |
Vulnerable System Confidentiality | Low | Warning dialog messages do not contain all information about the document. Important omitted information about the document may allow the attacker to conduct further spoofing attacks. |
Vulnerable System Integrity | None | There is no impact on vulnerable systems. |
Vulnerable System Availability | None | There is no impact on vulnerable systems. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Description A blind self XSS vulnerability exists in RocketChat LiveChat \<v1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance.
V3.1 | v4.0 Base |
---|---|
6.1 | 5.1 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
CVSS v4 Score: Base 5.1
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | Active | The attacker must convince the user to input malicious script into the application. |
Vulnerable System Confidentiality | None | No impact to the vulnerable application. |
Vulnerable System Integrity | None | No impact to the vulnerable application. |
Vulnerable System Availability | None | No impact to the vulnerable application. |
Subsequent System Confidentiality | Low | An attacker could read data from the user’s browser. |
Subsequent System Integrity | Low | An attacker could modify data in the user’s browser. |
Subsequent System Availability | None | No direct availability impact to the user’s browser. |
Some examples of subsequent systems include:
Guest host in a VMM hypervisor
Device attached to a network gateway
A managed Device
Due to an Improper Initialization vulnerability in Junos OS on EX4650 devices, packets received on the em0 but not destined to the device, may be improperly forwarded to an egress interface, instead of being discarded. Such traffic being sent by a client may appear genuine, but is non-standard in nature and should be considered as potentially malicious.
v3.1 | v4.0 Base |
---|---|
7.2 | 6.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
CVSS v4 Score: Base 6.9
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | An attacker must be able to access the vulnerable system with a local, interactive session. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | None | There is no impact to the vulnerable system confidentiality. |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | None | There is no impact to the vulnerable system availability. |
Subsequent System Confidentiality | Low | Network traffic or information from restricted hosts may be detected. |
Subsequent System Integrity | Low | Network traffic may be sent to an undesired interface. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.44 and Prior to 7.0.8. Easily exploitable vulnerability allows high privileged attackers with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data.
v3.1 | v4.0 Base |
---|---|
6.0 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N | CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
CVSS v4 Score: Base 5.9
Metric | Value | Comments |
---|---|---|
Attack Vector | Local | An attacker must be able to access the vulnerable system with a local, interactive session. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | High | An attacker must have administrative control over a virtual machine within the virtual machine host. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | None | There is no impact to the vulnerable system confidentiality. |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | None | There is no impact to the vulnerable system availability. |
Subsequent System Confidentiality | High | An attacker could exploit this vulnerability to access confidential information stored within the VM host hypervisor system. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a use-after vulnerability in vmnetdhcp. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine.
v3.1 | v4.0 Base |
---|---|
9.3 | 9.4 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
CVSS v4 Score: Base 9.4
Metric | Value | Comments |
---|---|---|
Attack Vector | Local | An attacker must be able to access the vulnerable system with a local, interactive session. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | High | An attacker must have administrative control over a virtual machine within the virtual machine host. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker could execute arbitrary code on the vulnerable system. |
Vulnerable System Integrity | High | An attacker could execute arbitrary code on the vulnerable system. |
Vulnerable System Availability | High | An attacker could execute arbitrary code on the vulnerable system. |
Subsequent System Confidentiality | High | An attacker could take actions on other systems hosted within the virtual hypervisor. |
Subsequent System Integrity | High | An attacker could take actions on other systems hosted within the virtual hypervisor. |
Subsequent System Availability | High | An attacker could take actions on other systems hosted within the virtual hypervisor. |
Exploit Maturity | Proof-of-Concept (P) | A proof of concept is available |
Safety is a Supplemental metric which may be optionally assessed by a scoring provider with values of Not Defined (X), Present (P), or Negligible (N). In the case of a system that intends to have health-related functions, it might also have a Safety-related consequence if a vulnerability is exploited. Let’s look at an example.
There are two known configurations of a product known as the Becton Dickinson PCU which can be modified without authentication using physical connection to the PCU. A PCU is commonly used for infusion delivery in a healthcare provider environment. With that context in mind, it could be inferred that an exploit of this vulnerability might have Safety impact. The below is only an example of how this, or a similar vulnerability, could be scored.
v3.1 | v4.0 Base |
---|---|
6.8 | 8.3 |
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:N/S:P/V:D |
CVSS v4 Score: Base 8.3
Metric | Value | Comments |
---|---|---|
Attack Vector | Physical | An attacker must be able to physically access the system. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | An attacker is unauthorized prior to the attack. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker could execute arbitrary code on the vulnerable system. |
Vulnerable System Integrity | High | An attacker could execute arbitrary code on the vulnerable system. |
Vulnerable System Availability | High | An attacker could execute arbitrary code on the vulnerable system. |
Subsequent System Confidentiality | None | If the scoring provider assumes that a patient is the subsequent system, a successful exploit would not result in loss of confidentiality. |
Subsequent System Integrity | High | If the scoring provider assumes that a patient is the subsequent system, a successful exploit could result in loss of health integrity for that patient. |
Subsequent System Availability | None | If the scoring provider assumes that a patient is the subsequent system, the attribute of availability might be metaphorically ambiguous. |
CVSS v4 Supplemental Metrics
Metric | Value | Comments |
---|---|---|
Safety | Present | Consequences of exploiting this vulnerability could have a Safety impact that is equal to or worse than “marginal”, as described in IEC 61508. |
Value Density | Diffuse | The system with the vulnerable component is fairly limited in resources. |
These were in the previous version and we are carrying them forward to show the change between version 3 and 4.
Vulnerability
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Attack
A successful attack requires only sending a specially crafted message to a web server running OpenSSL. The attacker constructs a malformed “heartbeat request” with a large field length and small payload size. The vulnerable server does not validate the length of the payload against the provided field length and will return up to 64 kB of server memory to the attacker. It is likely that this memory was previously utilized by OpenSSL. Data returned may contain sensitive information such as encryption keys or user names and passwords that could be used by the attacker to launch further attacks
v3.1 | v4.0 Base + Threat |
---|---|
7.5 | 8.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A |
CVSS v4 Score: Base + Threat 8.7
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | Access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact to the affected scope (e.g. the attacker can read the administrator's password, or private keys in memory are disclosed to the attacker). |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | None | There is no impact to the vulnerable system availability. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Exploit Maturity | Attacked | There are known exploits in the wild. |
A vulnerability in the Apache log4j library could allow an unauthenticated, remote attacker to execute arbitrary commands with the privileges of the service using the vulnerable library.
v3.1 Base | v4.0 Base + Threat |
---|---|
10.0 | 10.0 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A |
CVSS v3.1 Base Score: 10.0
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerability is in a network service that uses log4j. |
Attack Complexity | Low | No conditions outside of the user’s control. |
Privileges Required | None | An attacker requires no privileges to mount an attack. |
User Interaction | None | The attacker requires no user interaction to successfully exploit the vulnerability |
Scope | Changed | The vulnerable component could allow an attacker to affect downstream components and systems. |
Confidentiality | High | An attacker can execute arbitrary commands with elevated privileges. |
Integrity | High | An attacker can execute arbitrary commands with elevated privileges. |
Availability | High | An attacker can execute arbitrary commands with elevated privileges. |
CVSS v4 Score: Base + Threat 10.0
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | Although the attacker must prepare the environment to achieve the worst possible outcome of an attack, (for example, code execution) through control of a reachable LDAP server, the system should be assumed vulnerable. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | The attack does not require any user interaction. |
Vulnerable System Confidentiality | High | The attacker can run arbitrary commands with elevated privileges and access sensitive system information. |
Vulnerable System Integrity | High | The attacker can run arbitrary commands with elevated privileges and modify the system configuration. |
Vulnerable System Availability | High | The attacker can run arbitrary commands with elevated privileges and gain access sufficient to reset or turn off the device. |
Subsequent System Confidentiality | High | The attacker could exploit the vulnerability to view sensitive information from downstream systems. |
Subsequent System Integrity | High | The attacker could exploit the vulnerability to modify data from downstream systems. |
Subsequent System Availability | High | The attacker could exploit the vulnerability to impact the availability of downstream systems. |
Exploit Maturity | Attacked | There are known exploits in the wild. |
Vulnerability
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "Shellshock."
Attack
A successful attack can be launched by an attacker directly against the vulnerable GNU Bash shell, or in certain cases, by an unauthenticated, remote attacker through services either written in GNU Bash or services spawning GNU Bash shells. In the case of an attack against the Apache HTTP Server running dynamic content CGI modules, an attacker can submit a request while providing specially crafted commands as environment variables. These commands will be interpreted by the handler program, the GNU Bash shell, with the privilege of the running HTTPD process. As such, environment variables passed by the attacker could allow installation of software, account enumeration, denial of service, etc. Attacks against other services that have a relationship with the GNU Bash shell are similarly possible.
v3.1 Base | v4.0 Base + Threat |
---|---|
9.8 | 9.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A |
CVSS v3.1 Base Score: 9.8
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The reasonable worst-case scenario is a network attack through a web server. |
Attack Complexity | Low | An attacker needs only to gain access to a listening service that uses the GNU Bash shell as an interpreter or interact with a GNU Bash shell directly. |
Privileges Required | None | The reasonable worst-case scenario is an attack through a web server, which does not require any privileges, for example, a simple CGI script. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Scope | Unchanged | The vulnerable component is the GNU Bash shell, which is used as an interpreter for various services or can be accessed directly. It runs within the security authority of the operating system. The impacted component is also the operating system, so there is no scope change. |
Confidentiality | High | An attacker can take complete control of the affected system. |
Integrity | High | An attacker can take complete control of the affected system. |
Availability | High | An attacker can take complete control of the affected system. |
CVSS v4 Score: Base + Threat 9.3
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | The attacker can run arbitrary commands with elevated privileges and access sensitive system information. |
Vulnerable System Integrity | High | The attacker can run arbitrary commands with elevated privileges and modify the system configuration. |
Vulnerable System Availability | High | The attacker can run arbitrary commands with elevated privileges and gain access sufficient to reset or turn off the device. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Exploit Maturity | Attacked | There are known exploits in the wild. |
Vulnerability
If Proxy ARP is enabled on an unnumbered interface, an attacker can poison the ARP cache and create a bogus forwarding table entry for an IP address, effectively creating a denial of service for that subscriber or interface. When Proxy ARP is enabled on an unnumbered interface, the router will answer any ARP message from any IP address which could lead to exploitable information disclosure. This issue can affect any product or platform running Junos OS 10.4, 11.4, 11.4X27, 12.1, 12.1X44, 12.1X45, 12.2, 12.3, or 13.1, supporting unnumbered interfaces.
Attack
Exploitation of this vulnerability requires network adjacency with the target system and the ability to generate arbitrary ARP replies sent to the connected interface. A rogue subscriber can poison the ARP cache and/or create a rogue forwarding table entry for an IP of choice, effectively obscuring that IP address or redirecting IP traffic to the attacker.
The resultant impact can be observed as unauthorized modification of a database on the vulnerable component, or as an impact on confidentiality or availability on attached devices (impacted component). Since the CVSSv3 score for a high confidentiality (or availability) impact on a changed scope is higher than a partial impact on the vulnerable component, CVSSv3 guidance recommends to score for the higher overall impact.
v3.1 | v4.0 Base |
---|---|
9.3 | 6.4 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:H |
CVSS v4 Score: Base 6.4
Metric | Value | Comments |
---|---|---|
Attack Vector | Adjacent | The attacker must be within the local proximity of the device. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | None | There is no impact to the vulnerable system confidentiality. |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | None | There is no impact to the vulnerable system availability. |
Subsequent System Confidentiality | High | The attacker can hijack and redirect the IP traffic to themselves. |
Subsequent System Integrity | None | There is no impact to the subsequent system integrity. |
Subsequent System Availability | High | Adding the rogue forwarding table can redirect the end user to rogue IP addresses. |
Vulnerability
The SmmRuntime BIOS EFI Driver allows local administrators to execute arbitrary code with System Management Mode (SMM) privileges via unspecified vectors.
Attack
Attacker creates a buffer in memory containing exploit code to be executed in SMM context. Attacker then creates a structure with a pointer to the exploit code’s entry point and triggers an SMI passing a reference to that structure. The SMM driver then calls the exploit code via the supplied function pointer.
v3.1 | v4.0 Base + Threat |
---|---|
8.2 | 9.3 |
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:I |
CVSS v4 Score: Base + Threat 9.3
Metric | Value | Comments |
---|---|---|
Attack Vector | Local | An attacker must be able to execute code on the system. |
Attack Complexity | Low | This attack leverages a failure to verify input parameters in the SmmRuntime driver and can be reproduced consistently with simple code. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | High | The attacker must be able to run kernel level (ring 0) code on the affected system. |
User Interaction | None | The vulnerability is built into the BIOS and is always available. There is no user configuration involved. |
Vulnerable System Confidentiality | High | SMM has complete control over the system, including all information on the system. |
Vulnerable System Integrity | High | SMM access allows an attacker to modify any part of the system. |
Vulnerable System Availability | High | The attacker could keep the system in SMM, denying access to the system and never returning to a normal operation mode. |
Subsequent System Confidentiality | High | All software on the vulnerable system can be seen by the attacker. |
Subsequent System Integrity | High | All software on the vulnerable system can be modified by the attacker. |
Subsequent System Availability | High | The attacker could keep the system in SMM, denying access to software on the system. |
Recovery | Irrecoverable | The attacker could keep the system in SMM, and could prevent recovery of the system by automatically running their code and locking down the system to prevent a user from accessing it. |
Vulnerability
Some UEFI BIOS implementations failed to set Flash write protections such as the BIOS_CNTL locking on resume from the S3 suspend to RAM sleep state.
Attack
Attacker causes or waits until the system resumes from suspend, and then writes over the current BIOS image in Flash with a new BIOS image modified by the attacker.
v3.1 | v4.0 Base + Threat |
---|---|
6.0 | 8.7 |
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H | CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:I |
CVSS v4 Score: Base + Threat 8.7
Metric | Value | Comments |
---|---|---|
Attack Vector | Local | An attacker must be able to execute code on the system. |
Attack Complexity | Low | An attacker has unfettered access to the Flash part on which the BIOS is stored. |
Attack Requirements | Present | The vulnerability is introduced by firmware failing to enable correct flash memory protections upon the resume from S3 system sleep state. |
Privileges Required | High | An attacker must be able to run kernel level (ring 0) code on the target system, in order to access the Flash part. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker that can modify the BIOS image can install components to completely monitor and control the vulnerable system. |
Vulnerable System Integrity | High | An attacker that can modify the BIOS image can modify anything on the vulnerable system. |
Vulnerable System Availability | High | An attacker could cause a denial of service by corrupting the BIOS image or could encrypt the vulnerable system. |
Subsequent System Confidentiality | High | Any software on the system could be monitored by an agent installed in the BIOS on the vulnerable system. |
Subsequent System Integrity | High | Any files on the system could be modified by an agent installed in the BIOS. |
Subsequent System Availability | High | An attacker could encrypt files on the system, preventing access. |
Recovery | Irrecoverable | An attacker could cause a denial of service through encryption or corruption, neither of which could be fixed by a user. |
Vulnerability
Existing UEFI setting restrictions for DCI (Direct Connect Interface) in 5th and 6th generation Intel Xeon Processor E3 Family, Intel Xeon Scalable processors, and Intel Xeon Processor D Family allows a limited physical presence attacker to potentially access platform secrets via debug interfaces.
Attack
An attacker with physical access can attach a debug device to the DCI interface and directly interrogate and control the processor state starting from very early in the boot process.
v3.1 | v4.0 Base |
---|---|
7.6 | 8.6 |
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
CVSS v4 Score: Base 8.6
Metric | Value | Comments |
---|---|---|
Attack Vector | Physical | An attacker must have physical access to the DCI port in order to attach the debugging device. |
Attack Complexity | Low | The debugging device is off-the-shelf hardware that can be purchased from Intel. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | Only physical presence is required; no system privileges are required. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker can view all memory and CPU instructions. |
Vulnerable System Integrity | High | An attacker can modify all contents of memory and control the CPU directly. |
Vulnerable System Availability | High | An attacker can cause a denial of service by stopping the CPU from executing the desired functionality. |
Subsequent System Confidentiality | High | An attacker can view the contents of memory for programs on the vulnerable system. |
Subsequent System Integrity | High | An attacker can modify the contents of memory for running applications and files on the vulnerable system. |
Subsequent System Availability | High | An attacker can modify and corrupt applications on the vulnerable system. |
This section contains examples of commonly-seen vulnerabilities from across the industry. The examples here are meant to be illustrative of common issues, but should not be considered authoritative. Unique vulnerabilities may have different impacts.
Description
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9
v3.1 | v4.0 Base |
---|---|
6.5 | 7.1 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 7.1
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | Low | Attacker has to have database access (non-root user access). |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker can read any file on the operating system |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | None | There is no impact to the vulnerable system availability. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems Confidentiality. |
Subsequent System Integrity | None | There is no impact to subsequent systems Integrity. |
Subsequent System Availability | None | There is no impact to subsequent systems Availability. |
Description
Firmware for Bosch devices transmits in clear text over HTTP, allowing on-path attackers to gain access to user credentials.
v3.1 | v4.0 Base |
---|---|
5.9 | 8.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 8.2
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | Present | An attacker must be on-path to be able to intercept communications between affected systems. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker could access plain text user credentials. |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | None | There is no impact to the vulnerable system availability. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Description
Memory leak due to receipt of specially crafted SIP calls (CVE-2023-22394)
An Improper Handling of Unexpected Data Type vulnerability in the handling of SIP calls in Junos OS on SRX Series and MX Series platforms allows an attacker to cause a memory leak leading to Denial of Services (DoS).
v3.1 | v4.0 | |
---|---|---|
Base | 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L |
Base + Threat | 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U |
CVSS v4 Score: Base + Threat 6.6
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | None | There is no impact to the vulnerable system confidentiality. |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | High | An Improper Handling of Unexpected Data Type vulnerability in the handling of SIP calls in Juniper Networks Junos OS on SRX Series and MX Series platforms allows an attacker to cause a memory leak leading to denial of service. |
Subsequent System Confidentiality | None | There is no confidentiality impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to the integrity of subsequent systems. |
Subsequent System Availability | Low | The subsequent device could be unavailable/unreachable for a brief period of time. |
Exploit Maturity | Unreported | There is no known proof-of-concept or malicious exploitation of this vulnerability. |
Categories: XSS
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
v3.1 | v4.0 Base |
---|---|
6.1 | 5.1 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
CVSS v4 Score: Base 5.1
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | Active | A targeted user must click a malicious link that is provided by an attacker. |
Vulnerable System Confidentiality | None | There is no direct impact to the web application confidentiality. |
Vulnerable System Integrity | None | There is no direct impact to the web application integrity. |
Vulnerable System Availability | None | There is no direct impact to the web application availability. |
Subsequent System Confidentiality | Low | An attacker could read data from the user’s browser. |
Subsequent System Integrity | Low | An attacker could modify data in the user’s browser. |
Subsequent System Availability | None | There is no direct availability impact to the user’s browser. |
Microsoft Office SharePoint XSS Vulnerability
Description
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.
An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.
v3.1 | v4.0 Base |
---|---|
5.4 | 5.1 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
CVSS v4 Score: Base 5.1
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | Low | The attacker requires privileges sufficient to store data within the application. |
User Interaction | Passive | A targeted user must browse to the application as part of normal operations. |
Vulnerable System Confidentiality | None | There is no direct impact to the web application confidentiality. |
Vulnerable System Integrity | None | There is no direct impact to the web application integrity. |
Vulnerable System Availability | None | There is no direct impact to the web application availability. |
Subsequent System Confidentiality | Low | An attacker can read content that the attacker is not authorized to read from the user's browser. |
Subsequent System Integrity | Low | An attacker could inject malicious content that could be executed within the user’s browser. |
Subsequent System Availability | None | There is no direct impact to the user’s browser availability. |
Description
Cisco Adaptive Security Appliance Firepower Threat Defense (FTD) Privilege Escalation Vulnerability (CVE-2022-20759)
A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15.
An attacker could exploit this vulnerability by sending crafted HTTPS messages to the web services interface of an affected device. A successful exploit could allow the attacker to gain privilege level 15 access to the web management interface of the device.
v3.1 | v4.0 Base |
---|---|
8.8 | 7.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 7.7
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | Attacks are executed through HTTPS requests. |
Attack Complexity | Low | No advanced knowledge is required |
Attack Requirements | Present | HTTP Management Access and IKEv2 Client Service must be enabled on at least one interface, or HTTP management interface and WebVPN must be enabled on at least one interface. |
Privileges Required | Low | An attacker must have valid credentials for the VPN. |
User Interaction | None | No additional user interaction is required for successful exploitation. |
Vulnerable System Confidentiality | High | Successful exploitation could result in a complete compromise (enable 15) of the targeted device, which results in a complete (High) impact on the confidentiality of the device. |
Vulnerable System Integrity | High | Successful exploitation could result in a complete compromise resulting in High integrity impact. |
Vulnerable System Availability | High | Successful exploitation could result in a complete compromise resulting in High availability impact. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Description
A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to elevate privileges and execute arbitrary code on the underlying operating system as the root user. An attacker must be authenticated on an affected device as a PRIV15 administrative user.
v3.1 | v4.0 | |
---|---|---|
Base | 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N | 8.3 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Base + Threat | 5.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
CVSS v4 Score: Base + Threat 5.6
Metric | Value | Comments |
---|---|---|
Attack Vector | Local | An attacker must be able to access the vulnerable system with a local, interactive session. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | High | An attacker must have administrator privileges within the affected system. |
User Interaction | None | No additional user interaction is required for exploit |
Vulnerable System Confidentiality | High | An attacker could execute arbitrary commands on the affected system with the privileges of the root user, allowing the privileged attacker to access sensitive files that would otherwise be inaccessible to the administrative user. |
Vulnerable System Integrity | High | An attacker could execute arbitrary commands on the affected system with the privileges of the root user, allowing the privileged attacker to modify system values that would otherwise be inaccessible to the administrative user. |
Vulnerable System Availability | None | An attacker does not gain any additional privileges to impact system availability. Privileges required to exploit this vulnerability already allow the attacker to turn off the system, so there is no privilege gain as a result of exploitation. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Exploit Maturity | Unreported | There is no known proof-of-concept code or malicious exploitation of this vulnerability. |
Microsoft Word Remote Code Execution Vulnerability
An attacker must send the user a malicious file and convince the user to open said file which results in RCE.
v3.1 | v4.0 Base |
---|---|
7.8 | 8.5 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 8.5
Metric | Value | Comments |
---|---|---|
Attack Vector | Local | The document must be present on the local disk. |
Attack Complexity | Low | Nothing outside of the attacker’s control. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | Passive | A user must open a document. |
Vulnerable System Confidentiality | High | The attacker could execute arbitrary code, which could allow the attacker to compromise the affected system completely. |
Vulnerable System Integrity | High | The attacker could execute arbitrary code, which could allow the attacker to compromise the affected system completely. |
Vulnerable System Availability | High | The attacker could execute arbitrary code, which could allow the attacker to compromise the affected system completely. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Spring4shell
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Attack
An RCE can be established by simply sending a series of malicious web requests to a web server running on a vulnerable version of Spring. Spring4Shell allows attackers to get arbitrary code execution in the context of the user that is running the vulnerable application. Once the attackers achieve RCE, they can install malware or can use the server as an initial foothold to escalate privileges and compromise the whole system, or even access subsequent backend systems that the vulnerable server has privileged access to.
v3.1 | v4.0 Base + Threat |
---|---|
9.8 | 9.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A |
CVSS v4 Score: Base + Threat 9.2
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | Present | A successful attack depends on the deployment and execution conditions of the vulnerable system. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | The vulnerability allows an attacker to execute arbitrary code in the context of the user that is running the vulnerable application and gain complete control over the system. |
Vulnerable System Integrity | High | The vulnerability allows an attacker to execute arbitrary code in the context of the user that is running the vulnerable application and gain complete control over the system. |
Vulnerable System Availability | High | The vulnerability allows an attacker to execute arbitrary code in the context of the user that is running the vulnerable application and gain complete control over the system. |
Subsequent System Confidentiality | None | There is no immediate loss of confidentiality within the subsequent systems. But, based on how Spring is deployed in the target environment, the compromised server could be used as a pivot to leverage further. If there are subsequent impacts, they should be defined in environmental metrics. |
Subsequent System Integrity | None | There is no immediate loss of integrity within the subsequent systems. But, based on how Spring is deployed in the target environment, the compromised server could be used as a pivot to leverage further. If there are subsequent impacts, they should be defined in environmental metrics. |
Subsequent System Availability | None | There is no immediate loss of availability within the subsequent system. But, based on how Spring is deployed in the target environment, the compromised server could be used as a pivot to leverage further. If there are subsequent impacts, they should be defined in environmental metrics. |
Exploit Maturity | Attacked | There are known exploits in the wild. |
A vulnerability in the secure boot implementation of Cisco Secure Firewalls 3100 Series that are running Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated attacker with physical access to the device to bypass the secure boot functionality. This vulnerability is due to a logic error in the boot process. An attacker could exploit this vulnerability by injecting malicious code into a specific memory location during the boot process of an affected device. A successful exploit could allow the attacker to execute persistent code at boot time and break the chain of trust.
v3.1 | v4.0 Base |
---|---|
6.4 | 5.4 |
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 5.4
Metric | Value | Comments |
---|---|---|
Attack Vector | Physical | An attacker requires physical access to a vulnerable system. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | Present | There are timing requirements outside the attacker’s control, making exploit attempts unreliable. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker could inject malicious, unsigned code and execute arbitrary commands. |
Vulnerable System Integrity | High | An attacker could inject malicious, unsigned code and execute arbitrary commands. |
Vulnerable System Availability | High | An attacker could inject malicious, unsigned code and execute arbitrary commands. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Description
Vulnerability in Oracle E-Business Suite (component: Manage Proxies). The supported version that is affected is 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data.
Note: Authentication is required for successful attack, however the user may be self-registered. Oracle E-Business Suite 12.1 is not impacted by this vulnerability. Customers should refer to the Patch Availability Document for details.
v3.1 | v4.0 Base |
---|---|
7.5 | 8.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 8.7
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker could exploit the vulnerability to access critical data that is stored within the vulnerable application. |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | None | There is no impact to the vulnerable system availability. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
In Ericsson Network Manager (ENM) releases before 21.2, users belonging to the same AMOS authorization group can retrieve the data from certain log files. All AMOS users are considered to be highly privileged users in the ENM system and all must be previously defined and authorized by the Security Administrator. Those users can access some log’s files, under a common path, and read information stored in the log’s files in order to conduct privilege escalation.
v3.1 | v4.0 Base |
---|---|
4.9 | 6.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 6.9
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | High | An attacker must have membership in the AMOS authorization group sufficient to read data from log files. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker could exploit the vulnerability to view sensitive data within the application log files. |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | None | There is no impact to the vulnerable system availability. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Description
Atlassian Confluence Server and Data Center OGNL Injection Vulnerability (CVE-2022-26134)
In Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
A remote attacker could exploit it by requests injecting specially crafted OGNL templates in order to execute arbitrary code.
v3.1 | v4.0 Base |
---|---|
9.8 | 9.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVSS v4 Score: Base 9.3
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | Attacks are executed through HTTP(s) requests and are accessible from remote networks. |
Attack Complexity | Low | No advanced knowledge is required |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | Successful exploitation could result in a complete compromise (command execution as root) of the affected device, which results in a complete (High) impact on the confidentiality of the device. |
Vulnerable System Integrity | High | Successful exploitation could result in a complete compromise (command execution as root) of the affected device, which results in a complete (High) impact on the integrity of the device. |
Vulnerable System Availability | High | Successful exploitation could result in a complete compromise (command execution as root) of the affected device, which results in a complete (High) impact on the availability of the device. |
Subsequent System Confidentiality | None | There are no additional impacts to subsequent systems. |
Subsequent System Integrity | None | There are no additional impacts to subsequent systems. |
Subsequent System Availability | None | There are no additional impacts to subsequent systems. |
Description:
In Panasonic Control FPWIN versions 7.6.0.3 and prior, a stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or a parameter to a function) when a file is opened within the application.
v3.1 | v4.0 |
---|---|
7.8 | 8.5 |
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:P |
CVSS v4 Score: Base 8.5
Metric | Value | Comments |
---|---|---|
Attack Vector | Local | An attacker must be locally connected to the vulnerable system. |
Attack Complexity | Low | No built-in security-enhancing conditions exist within the product to inhibit successful exploitation. |
Attack Requirements | None | The attacker can execute the exploit with no specific difficulty. No attack requirements are present. |
Privileges Required | None | No privileges are required for an attacker to successfully exploit the vulnerability. |
User Interaction | Passive | A user, other than the attacker, must be present for the vulnerability to be exploited. However, the actions taken by the user are typical, because a user must open a file within the vulnerable application. |
Vulnerable System Confidentiality | High | Exploitation of the vulnerability results in complete control of the vulnerable system. |
Vulnerable System Integrity | High | Exploitation of the vulnerability results in complete control of the vulnerable system. |
Vulnerable System Availability | High | Exploitation of the vulnerability results in complete control of the vulnerable system. |
Subsequent System Confidentiality | None | The impact on confidentiality is limited to the vulnerable system. No direct downstream impact is indicated. |
Subsequent System Integrity | None | The impact on integrity is limited to the vulnerable system. No direct downstream impact is indicated. |
Subsequent System Availability | None | The impact on availability is limited to the vulnerable system. No direct downstream impact is indicated. |
Safety | Present | The impact from an attacker gaining full control of software that is running on a programmable logic controller (PLC) may meet the definition of IEC 61508 consequence category marginal, critical or catastrophic for certain usage of the PLC in an Operational Technology (OT) environment where humans may be harmed. |
Description:
Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.
v3.1 | v4.0 | |
---|---|---|
Base | 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 8.6 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:P |
Base + Environmental | 9.7 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/MSI:S/S:P |
CVSS v4 Score: Base + Environmental 9.7
Metric | Value | Comments |
---|---|---|
Attack Vector | Adjacent | An attacker must be within the local proximity of the device. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No attack requirements are present. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | High | An attacker could exploit the vulnerability to intercept critical data. |
Vulnerable System Integrity | High | An attacker could exploit the vulnerability to change pump settings and control insulin delivery. |
Vulnerable System Availability | None | There is no impact to the vulnerable system availability. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Exploit Maturity | Unreported | There is no known proof-of-concept code or malicious exploitation of this vulnerability. |
Modified Subsequent System | Safety | Because control of insulin delivery can be changed, there is a health and human safety impact. |
Safety | Present | Impact on health and human safety from a vulnerability in an OT device may meet definition of IEC 61508 consequence category critical. |
Description:
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
v3.1 | v4.0 Base | |
---|---|---|
Base | 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/V:C |
CVSS v4 Score: Base 8.7
Metric | Value | Comments |
---|---|---|
Attack Vector | Network | The vulnerable system is accessible from remote networks. |
Attack Complexity | Low | No specialized conditions or advanced knowledge are required. |
Attack Requirements | None | No attack requirements are present. |
Privileges Required | None | No attack requirements are present. |
User Interaction | None | No user interaction is required for an attacker to successfully exploit the vulnerability. |
Vulnerable System Confidentiality | None | There is no impact to the vulnerable system confidentiality. |
Vulnerable System Integrity | None | There is no impact to the vulnerable system integrity. |
Vulnerable System Availability | High | An attacker could cause the application to fail and restart, resulting in a denial of service condition. |
Subsequent System Confidentiality | None | There is no impact to subsequent systems. |
Subsequent System Integrity | None | There is no impact to subsequent systems. |
Subsequent System Availability | None | There is no impact to subsequent systems. |
Value Density | Concentrated | The value of the Kerberos system is highly concentrated due to its functionality in the network environment. |
Date | Ver | Description |
---|---|---|
2023-08-10 | v0.1 | Initial Publication |
2023-09-29 | v0.2 | Grammatical editing changes, updated metrics score comments, and corrected metric score mismatches. Updated CVE-2021-44228 |
2023-10-30 | v0.3 | Added new examples for Value Density (CVE-2020-28196) and Safety (CVE-2023-30560). Additional error corrections |
2023-11-01 | v1.0 | Official Release |