Skip to content

[GHSA-2gjg-5x33-mmp2] Update CVSS 3.x Scope (S) from Unchanged (U) to Changed (C) #5195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
anonymous-nlp-student wants to merge 1 commit into from
Closed

[GHSA-2gjg-5x33-mmp2] Update CVSS 3.x Scope (S) from Unchanged (U) to Changed (C) #5195

anonymous-nlp-student wants to merge 1 commit into from

Conversation

@anonymous-nlp-student
Copy link

@anonymous-nlp-student anonymous-nlp-student commented Jan 17, 2025

Summary

Summary

The Scope (S) aspect of CVE-2018-16202 / GHSA-xwjh-cp99-cj8q should be updated from Unchanged (U) to Changed (C). The path traversal vulnerability allows attackers to access files that are not managed by localhost-now. This falls “beyond the security scope managed by the security authority of the vulnerable component,” aligning with the definition of S:C

GHSA Description

Versions of localhost-now before 1.0.2 are vulnerable to path traversal. This allows a remote attacker to read the content of an arbitrary file.

CVSS 3.x Specifications

Metric Value Description
Unchanged (U) An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
Changed (C) An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Supporting Examples

Versions of cordova-plugin-ionic-webview prior to 2.2.0 are vulnerable to Path Traversal, allowing attackers access to OS local files that should be inaccessible by third-party applications. The package launches a webserver listening on http://localhost:8080 without restricting access of the app itself, thus escaping the iOS application sandbox and accessing local files.

@github-actions github-actions bot changed the base branch from main to anonymous-nlp-student/advisory-improvement-5195 January 17, 2025 17:29
@shelbyc
Copy link
Contributor

shelbyc commented Jan 17, 2025

Hi @anonymous-nlp-student, I don't necessarily agree with changing the scope change from unchanged to changed because the whole point of a path traversal is a threat actor being able to access files in a system that they shouldn't be able to access. The CVE Numbering Authority for CVE-2018-3729, HackerOne, didn't provide a CVSS, but I agree with NVD's CVSSv3 of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. If you're interested in discussing the nature of an unchanged vs. changed scope and changing the CVSS in the CVE record, I would recommend contacting HackerOne via their CNA contact information on https://www.cve.org/PartnerInformation/ListofPartners/partner/hackerone.

@github-actions
Copy link

github-actions bot commented Feb 2, 2025

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions bot added the Stale label Feb 2, 2025
@github-actions github-actions bot closed this Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anonymous-nlp-student @shelbyc