Skip to content

[GHSA-9gqh-q4cx-f2h9] Update the CVSS 3.x Attack Complexity from Low to High #5168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 14, 2025
Merged

[GHSA-9gqh-q4cx-f2h9] Update the CVSS 3.x Attack Complexity from Low to High #5168

merged 1 commit into from
Jan 14, 2025

Conversation

vulnerability-analyst
Copy link

Summary

The CVSS 3.x Attack Complexity for CVE-2016-1059 / GHSA-9gqh-q4cx-f2h9 should be classified as High instead of Low, based on the requirement for the attacker to obtain a privileged network position. This aligns directly with the CVSS 3.x definition of High Attack Complexity, which states that a successful attack demands “some measurable amount of effort […] in preparation or execution against the vulnerable component before a successful attack can be expected.”

In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the behavior of the package itself, it ranges from being able to read sensitive information all the way up to and including remote code execution. (Excerpt of CVE-2016-1059 / GHSA-9gqh-q4cx-f2h9)

A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. (Excerpt of CVSS 3.x Specification)

Supporting Examples

The following CVEs have similar phrasing and CVSS 3.x Attack Complexity = High:

ID CVSS 3.x Description
CVE-2016-10673 / GHSA-m8pw-h8qj-rgj9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected versions of ipip-coffee insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. This could impact the integrity and availability of the data being used to make geolocation decisions by an application. [...]
CVE-2016-10652 / GHSA-r36x-p5pv-9mfx CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected versions of prebuild-lwip insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the behavior of the package itself, it ranges from being able to read sensitive information all the way up to and including remote code execution. [...]
CVE-2016-10593 / GHSA-92qm-hc53-jjrj CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected versions of ibapi insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running ibapi. [...]
CVE-2016-10633 / GHSA-4pf7-579w-f4gm CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected versions of dwebp-bin insecurely download an executable over an unencrypted HTTP connection. **In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running dwebp-bin. [...]
CVE-2016-10618 / GHSA-8r98-rqg5-4vm3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected versions of node-browser insecurely downloads resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the behavior of the package itself, it ranges from being able to read sensitive information all the way up to and including remote code execution. [...]
CVE-2016-10632 / GHSA-hxhm-3vj9-6cqh CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected versions of apk-parser2 insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running apk-parser2. [...]
CVE-2016-10612 / GHSA-x56r-5r34-qg74 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected versions of dalek-browser-ie-canary insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running dalek-browser-ie-canary. [...]
CVE-2016-10605 / GHSA-65q2-x652-xx84 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected versions of dalek-browser-ie insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running dalek-browser-ie. [...]
CVE-2016-10664 / GHSA-wx3q-6x7x-jjw4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected versions of mystem insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running mystem. [...]

They further underscore the need to reclassify the Attack Complexity for CVE-2016-1059 / GHSA-9gqh-q4cx-f2h9 to High.

@github-actions github-actions bot changed the base branch from main to vulnerability-analyst/advisory-improvement-5168 January 14, 2025 21:04
@shelbyc
Copy link
Contributor

shelbyc commented Jan 14, 2025

Hi @vulnerability-analyst, I agree that AC:H is consistent with the AC:H value used in the CVSSv3 score and the AC:M value used in the CVSSv2 score and is therefore more appropriate. I'm curious what led NVD to use AC:H for a privileged network position rather than PR:L or PR:H, but it's possible some context for the CVE description and scoring decision has been lost to time. Thanks for reaching out and have a good day!

@advisory-database advisory-database bot merged commit 93ec64b into github:vulnerability-analyst/advisory-improvement-5168 Jan 14, 2025
2 checks passed
@advisory-database
Copy link
Contributor

Hi @vulnerability-analyst! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@vulnerability-analyst vulnerability-analyst mentioned this pull request Jan 15, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vulnerability-analyst @shelbyc