Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-2gjg-5x33-mmp2] Update CVSS 3.x Scope (S) from Unchanged (U) to Changed (C) #5195

Open
wants to merge 1 commit into
base: anonymous-nlp-student/advisory-improvement-5195
Choose a base branch
from
Open

[GHSA-2gjg-5x33-mmp2] Update CVSS 3.x Scope (S) from Unchanged (U) to Changed (C) #5195

wants to merge 1 commit into from
+2 −2

Conversation

anonymous-nlp-student
Copy link

Summary

Summary

The Scope (S) aspect of CVE-2018-16202 / GHSA-xwjh-cp99-cj8q should be updated from Unchanged (U) to Changed (C). The path traversal vulnerability allows attackers to access files that are not managed by localhost-now. This falls “beyond the security scope managed by the security authority of the vulnerable component,” aligning with the definition of S:C

GHSA Description

Versions of localhost-now before 1.0.2 are vulnerable to path traversal. This allows a remote attacker to read the content of an arbitrary file.

CVSS 3.x Specifications

Metric Value Description
Unchanged (U) An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
Changed (C) An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Supporting Examples

Versions of cordova-plugin-ionic-webview prior to 2.2.0 are vulnerable to Path Traversal, allowing attackers access to OS local files that should be inaccessible by third-party applications. The package launches a webserver listening on http://localhost:8080 without restricting access of the app itself, thus escaping the iOS application sandbox and accessing local files.

@github-actions github-actions bot changed the base branch from main to anonymous-nlp-student/advisory-improvement-5195 January 17, 2025 17:29
@shelbyc
Copy link
Contributor

shelbyc commented Jan 17, 2025

Hi @anonymous-nlp-student, I don't necessarily agree with changing the scope change from unchanged to changed because the whole point of a path traversal is a threat actor being able to access files in a system that they shouldn't be able to access. The CVE Numbering Authority for CVE-2018-3729, HackerOne, didn't provide a CVSS, but I agree with NVD's CVSSv3 of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. If you're interested in discussing the nature of an unchanged vs. changed scope and changing the CVSS in the CVE record, I would recommend contacting HackerOne via their CNA contact information on https://www.cve.org/PartnerInformation/ListofPartners/partner/hackerone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@anonymous-nlp-student @shelbyc