12Mar
How to calculate CVSS score of a finding detected in the source code?
While I was doing source code review of API handlers for REST APIs, I found a security issue.
This issue is that some methods have the annotation @PreAuthorize("permitAll()")
.
If I want to document this as a finding and give it a CVSS score, how can this be done? Should I consider this finding when calculating the score, or should I consider the impact of it, which is any user accessing the endpoints?
This struggle appeared when I started doing the calculation, for example:
- Attack vector: I don't see here what the attack vector is as the finding I found by reading the code.
- Attack complexity: same for this, since there is no attack but its a finding at the level of the code.
Same goes for most of the other fields.