[question] Privileges Required not modeled in automatic vulnerabilties?

mal-lang / coreLang

A probabilistic attack simulation language for the (abstract) IT domain

https://mal-lang.org/coreLang/

Other

10 stars 12 forks source link

[question] Privileges Required not modeled in automatic vulnerabilties? #33

Closed jesajx closed 3 years ago

jesajx commented 3 years ago

It looks to me like the Privileges Required (PR) CVSS attribute is not modeled in the automatic vulnerabilities.

For example: NLNNVulnerability, NLLNVulnerability and NLHNVulnerability behave the exact same way.

Is this the intended behavior?

skatsikeas commented 3 years ago

Yes, this is a known issue. We have as our plan to re-design the automatic vulnerabilities. When this is done, this property will be properly taken into account. A temporary fix, until the above one happens, is currently being considered and could be implemented.

skatsikeas commented 3 years ago

Some work to fix this, but only for the local vulnerabilities was done on the latest commit: https://github.com/mal-lang/coreLang/commit/4e2908e036acb65a50968f9ecda9791c247e3c46