One more Improper Input Validation in CVSS v2 parsing

[pandatix]

While differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly validate CVSS v2 vectors, as it don't check the metric order.

In order to be compliant with the first.org specification Section 2.4 ("the vector lists these metrics in a predetermined order [...]") you must validate that every metric is in the order of Table 13.

The following Go code illustrates this issue.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v2/metric"
)

func main() {
	raw := "AV:N/AC:L/Au:N/C:N/A:C/I:N"
	vec, err := metric.NewEnvironmental().Decode(raw)

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: AV:N/AC:L/Au:N/C:N/I:N/A:C
err: <nil>

As the order is AV -> AC -> Au -> C -> I -> A, the CVSS v2 vector AV:N/AC:L/Au:N/C:N/A:C/I:N is invalid.
Notice this is not specified in CVSS v3 (no metric order), so this issue could not be reproduced with submodule v3.

[spiegel-im-spiegel]

Release v1.6.3

[pandatix]

The previously provided code now produces ->

vec: AV:N/AC:L/Au:N/C:N/I:N/A:C
err: misordered vector string

Maybe you should return a nil pointer for the CVSS v2 object when there is an error (good practice). It may not be clear to the developer using your implementation whether it worked or not.

[spiegel-im-spiegel]

OK! Release v1.6.4.