Closed
Description
During differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly validate CVSS v2 vectors when environmental metrics values are not defined.
This could be categorized as CWE-20.
In order to be compliant with the first.org specification Table 13 you must only validate a vector when all the group metrics are defined in the input vector, even if Temporal and Environmental ones are set to ND (Not Defined).
The following Go code illustrates this issue.
package main
import (
"fmt"
"github.com/goark/go-cvss/v2/metric"
)
func main() {
raw := "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H"
vec, err := metric.NewEnvironmental().Decode(raw)
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}produces ->
vec: AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H/IR:ND/AR:ND
err: <nil>