[GHSA-4vhw-4rw7-jfpv] Proposal for Revising Integrity and Availability in CVSS 3.x Rating

[anonymous-nlp-student]

Summary

The Integrity (I) and Availability (A) rating of CVE-2020-35883 / GHSA-4vhw-4rw7-jfpv should be updated from I:H/A:H to I:L/A:N because

• Integrity (I): While the vulnerability allows modification of files through directory traversal, the scope of modification is limited to files with a .conf extension. This limitation reduces the overall impact on system integrity, as the attacker cannot modify all files indiscriminately. Additionally, the impact depends on the criticality of the .conf files affected, which may not necessarily lead to a total loss of protection for the impacted component.
• Availability (A): While overwriting configuration files could indirectly affect availability depending on their use, this impact would be a secondary consequence and not directly caused by the vulnerability itself.

GHSA Description

An issue was discovered in the mozwire crate through 2020-08-18 for Rust. A ../ directory-traversal situation allows overwriting local files that have .conf at the end of the filename.

CVSS 3.x Specifications

Integrity

Metric Value	Description
High (H)	There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.
Low (L)	Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
None (N)	There is no loss of integrity within the impacted component.

Availability

Metric Value	Description
High (H)	There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Low (L)	Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.
None (N)	There is no impact to availability within the impacted component.

[JonathanLEvans]

Hi @anonymous-nlp-student, while the exploit only working on a specific file type would normally limit the impact, since there is likely a sensitive .conf file (e.g., resolv.conf or lilo.conf) on any installation, the Integrity impact should be High.

Also, the CVSS standard says to use a reasonable, final outcome for the impact metric, not just the immediate impact. And since the final outcome of modifying .conf files can be a complete denial of service, Availability should be High.