CVSS Score 4

Author: martindg

trainingportal/qna.js

@@ -246,6 +246,11 @@ let cvss_5_chain = () => {
 let cvss_6_score_3 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N")};
 }
+
+let cvss_7_score_4 = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -258,7 +263,8 @@ const DEFS = {
   "cvss_3_score_1": cvss_3_score_1,
   "cvss_4_score_2": cvss_4_score_2,
   "cvss_5_chain": cvss_5_chain,
-  "cvss_6_score_3": cvss_6_score_3
+  "cvss_6_score_3": cvss_6_score_3,
+  "cvss_7_score_4": cvss_7_score_4
 }
 
 module.exports = {

trainingportal/static/lessons/cvss/cvss_7_score_4.md

@@ -0,0 +1,21 @@
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+<br><br>
+
+### Scenario
+
+The company "PCGamingCompany.insecure.example" offers computer games to its customers. The service offers an easy sign up for new customers.
+
+From a technical standpoint, they have a web client and a desktop client. In order for customers to play games, they have to download the desktop client and log into their account.
+
+<br><br>
+
+#### Vulnerability
+
+An authenticated attacker can leverage an Authorization bypass in a development debug API that got into production to read arbitrary files on the filesystem of a victim with installed desktop client.
+
+**Note:** For this example we can assume that userids are easily guessable. This is an issue on its own, but is out of scope for this example.
+
+<br><br>

trainingportal/static/lessons/cvss/cvss_7_score_4.sol.md

@@ -0,0 +1,23 @@
+High-level analysis:
+
+- Prerequisites:
+    - None. Even if from technical point of view the API does require authentication, it is easy for an attacker to obtain a normal account and leverage that. Per the [CVSS Specification](https://www.first.org/cvss/v4-0/specification-document#Privileges-Required-PR): "Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack".
+- Impact:
+    - There is High impact on Confidentiality as all files on the victim's machine can be read by the attacker.
+        - While the attacker leverages the Vulnerable System (i.e. the Web API), the impact is on a Subsequent System (i.e. the victim's machine), so we have a change of scope and impact on Subsequent System
+
+---
+
+CVSS:
+
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+- Attack Requirements: None (N)
+- Privileges Required: None (N)
+- User Interaction: None (N)
+- Vulnerable System Confidentiality: None (N)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: None (N)
+- Subsequent System Confidentiality: High (H)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)

trainingportal/static/lessons/cvss/definitions.json

@@ -94,6 +94,15 @@
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_7_score_4",
+                "name":"Score Vulnerability 4",
+                "description": "cvss_7_score_4.md",
+                "solution": "cvss_7_score_4.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }