CVSS3 Scope change question
Let's say I have an e-commerce organization. My organization has two security authorities A and B. The authority A manages access to data related to user orders, and the authority B manages access to data related to user payments.
My organization also has two software components: the websites W1 and W2. The website W1 is governed by the security authority A and the website W2 is governed by the security authority B.
At some point, W2 intentionally provides W1 with an access_token. That access_token can be used to retrieve the user's payment information. Now, due to a security vulnerability in W1, the access_token is leaked to an attacker, giving the attacker access to the user's payment information.
Would this be considered a scope change as per CVSS v3?
I think the description I provided suits the scope changed definition:
Scope changed: An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.
Formally, Scope refers to the collection of privileges managed by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization.
If an exploited vulnerability in an application that implements its own security authority can affect resources beyond its security scope, the vulnerability is also scored as scope changed.
But I would like to hear other opinions.
References:
https://www.first.org/cvss/specification-document#2-2-Scope-S https://www.first.org/cvss/v3.1/user-guide#3-5-Scope-Vulnerable-Component-and-Impacted-Component
Thanks.
