-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-998c-q8hh-h8gv] Update CVSS 4 Attack Complexity from Low to High #5166
base: vulnerability-analyst/advisory-improvement-5166
Are you sure you want to change the base?
Conversation
Hi @vulnerability-analyst, thank you for explaining your suggested changes and providing examples of the CNA using an Have you contacted Concrete CMS via their CNA email to ask them about their CVSSv4 scoring decision for CVE-2024-8660? Their CNA profile is available at https://www.cve.org/PartnerInformation/ListofPartners/partner/ConcreteCMS and provides an email address where people with questions about Concrete CMS's CVEs can contact them. If you haven't emailed Concrete CMS already, I would suggest you do that as your next step. |
Hi @shelbyc, I’ve reached out to the Concrete CMS team, and they’ve informed me that the matter is under internal discussion. I’ll provide an update here as soon as I receive confirmation from them. On a related note, my colleagues mentioned they couldn’t see my contributions on the PR page of GHSA (please see the snapshots below); this issue is also true to my merged PR, where my colleagues encountered a 404 error when trying to access the page. Could this be due to a specific reason, such as @vulnerability-analyst being a relatively new account? My view when using @vulnerability-analyst: Public view when using a different account or incognito mode (not logged in): |
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
Hi @vulnerability-analyst, sorry for not seeing your message sooner! As of 15 January 2025, your pull requests are visible to other accounts again. |
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
Summary
The vulnerability described in GHSA-998c-q8hh-h8gv / CVE-2024-8660 requires a rogue administrator for a successful attack:
Based on the CVSS 4 specification, this vulnerability should have an Attack Complexity (AC) rating of High, not Low, because the attack relies on the privileges and knowledge of an administrator to bypass built-in security mechanisms.
Rationale
Alignment with CVSS 4 Specification
The CVSS 4 specification defines Attack Complexity = High as follows:
To execute the attack successfully, the attacker must either possess insider knowledge exclusive to an administrator or steal the administrator’s credentials. This requirement aligns with the CVSS 4 definition of Attack Complexity = High.
Comparision with Similar Vulnerabilities
Several similar vulnerabilities in Concrete CMS were rated with Attack Complexity = High and Attack Requirement = None, including:
These similar CVEs have been rated as Attack Complexity = High. Consistency demands that the GHSA-998c-q8hh-h8gv / CVE-2024-8660 vulnerability also be rated as High for Attack Complexity.