CVSS Score 5

Author: martindg

trainingportal/qna.js

@@ -251,6 +251,10 @@ let cvss_7_score_4 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N")};
 }
 
+let cvss_8_score_5 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -264,7 +268,8 @@ const DEFS = {
   "cvss_4_score_2": cvss_4_score_2,
   "cvss_5_chain": cvss_5_chain,
   "cvss_6_score_3": cvss_6_score_3,
-  "cvss_7_score_4": cvss_7_score_4
+  "cvss_7_score_4": cvss_7_score_4,
+  "cvss_8_score_5": cvss_8_score_5
 }
 
 module.exports = {

trainingportal/static/lessons/cvss/cvss_8_score_5.md

@@ -0,0 +1,19 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+<br><br>
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+<br><br>
+
+#### Vulnerability
+
+An attacker can cause a denial of service impact on the telemetry service by providing specially crafted data. The attacker can maliciously change the filename of a locally available game (installed by the gaming desktop client). The desktop client will then try to report this filename and the telemetry service will crash. As a result, customers won't be able to see their gaming statistics, but will still be able to play normally their games.
+
+<br><br>

trainingportal/static/lessons/cvss/cvss_8_score_5.sol.md

@@ -0,0 +1,24 @@
+High-level analysis:
+
+- Prerequisites:
+    - None.
+        - Even if from technical point of view the API does require authentication, it is easy for an attacker to obtain a normal account and leverage that. Per the [CVSS Specification](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR): "Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack".
+        - Despite the attacker starting from a local system with the desktop client being installed, they are actually targeting the Vulnerable System (the telemetry API) remotely over the network. It is within the attacker's control the sign up and install the desktop client on a machine they control.
+- Impact:
+    - Non-critical service is impacted
+
+---
+
+CVSS:
+
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+- Attack Requirements: None (N)
+- Privileges Required: None (N)
+- User Interaction: None (N)
+- Vulnerable System Confidentiality: None (N)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: Low (L)
+- Subsequent System Confidentiality: None (N)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)

trainingportal/static/lessons/cvss/definitions.json

@@ -103,6 +103,15 @@
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_8_score_5",
+                "name":"Score Vulnerability 5",
+                "description": "cvss_8_score_5.md",
+                "solution": "cvss_8_score_5.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }