28Ağu
How to assess the Privilege Required?
I am calculating the CVSS score for an issue, and I am confused about the Privileges Required (PR).
The issue is, for a client desktop app that connects to a server, the logged in user allows debugging, the JWT token of the user will be logged on his workstation. Now that it is on the workstation, anyone who has access to the workstation, will be able to get the token from the file where the JWT token.
For this what the PR value would be? I consider it low, as anyone who can access the workstation can grab the token. Someone told me it should be high because the user should be logged in. So which one is right?
None (N) The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Low (L) The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
High (H) The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files.
