Skip to content
This repository was archived by the owner on Dec 1, 2024. It is now read-only.
This repository was archived by the owner on Dec 1, 2024. It is now read-only.

Improper Input Validation in CVSS v3 parsing #202

Open
Open
Improper Input Validation in CVSS v3 parsing#202
@pandatix

Description

@pandatix
pandatix
opened on Jan 28, 2023

While fuzzing this implementation, I discovered that some invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error.

package main

import (
	"fmt"

	"github.com/facebookincubator/nvdtools/cvss3"
)

func main() {
	vec, err := cvss3.VectorFromString("CVSS:3.1/AV:")

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: CVSS:3.1/
err: <nil>

You can check this input is invalid, using the official first.org calculator which does not give scores as it lacks a lot of valid info, or by looking at the specification Table 15 which shows that base metrics can't be empty.

EDIT: using version v0.1.5.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions