Update CVSS Scoring to CVSS 4

[GetSun2EZ]

Recently, CVSS 4 scoring was released. It adds a certain number of metrics in addition to CVSS 3.1 and which are relevant.

Would it be possible to add CVSS 4 scoring in pwndoc?

Thanks

[wantafanta]

https://www.first.org/cvss/v4-0/

The CVSS v4.0 Public Preview comment period began on June 8, 2023, and runs through July 31, 2023. All feedback will be reviewed and addressed by August 31, 2023, with a target official publication date of October 1, 2023.

Might be a waste of someones time until its official.

[Xitro01]

It's out now, but PLEASE make this OPTIONAL.

I'm not happy about the changes, so will stick to CVSS 3.1 for a while.

Just to make an example, why I'm not a fan:
Let's say you completely takeover the crown jewels, the SQL database of a website.
The SQL database is on a different server, which you can fully takeover. But you can't do anything on the webserver itself.
Then this will be the outcome:

So that will mean that you found a high vulnerability and not a critical.

[randshell]

@Xitro01 in the example you brought, the vulnerable system is the DB as it's the one directly impacted by your payload. Thus the VC, VI and VA are on High. The Subsequent System in this case could be the underlying server. If there is no xp_cmdshell or alike that can be used, then SC, SI and SA will be on None, making the issue a 9.3 one.

I agree that the new way of identifying Subsequent Systems takes a bit to get used to. 🙂 What helped me are the new examples provided at https://www.first.org/cvss/v4.0/examples.

[Xitro01]

@Xitro01 in the example you brought, the vulnerable system is the DB as it's the one directly impacted by your payload. Thus the VC, VI and VA are on High. The Subsequent System in this case could be the underlying server. If there is no xp_cmdshell or alike that can be used, then SC, SI and SA will be on None, making the issue a 9.3 one.

I agree that the new way of identifying Subsequent Systems takes a bit to get used to. 🙂 What helped me are the new examples provided at https://www.first.org/cvss/v4.0/examples.

For the example I gave: fair enough. Yet, looking at the examples at first.org: if you ask me it doesn't really add much. Just a slightly different way to calculate the value. There are just a few exotic vulnerabilities which make use of the subsequent metrics, for most the "Changed/Unchanged" value would have sufficed.

Anyways, hopefully it will still be release optional. That will ease the migration towards 4.0, as our database has over 200 findings with CVSS 3.1. Just need to slightly adjust our report template so that the new CVSS 4.0 string will fit and that's it.