Closed
Description
During differential fuzzing with github.com/pandatix/go-cvss, I discovered that some invalid inputs did not raise errors.
This could be categorized as CWE-20.
For instance, the following Go code does not produce any error (using tag v1.4.4).
package main
import (
"fmt"
"github.com/goark/go-cvss/v2/base"
)
func main() {
vec, err := base.Decode("AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/rc:C")
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}produces ->
vec: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
err: <nil>
You can check this input is invalid by looking at the specification Table 13 which shows metrics are only uppercase.
This issue is similar to #15 but related to metrics directly and not their values.