Update CVSS scoring suggestion for vulns behind a feature flag (!120330) · Merge requests · GitLab.com / www-gitlab-com

Rohit Shambhuni requested to merge master-patch-c91b into master Feb 23, 2023

When scoring CVSS for bugs behind disabled by default feature flags, according to the CVSS 3.1 Specification (see under the Attack Complexity section) we should score Attack Complexity as Low as the specification says - "If a specific configuration is required for an attack to succeed, the Base metrics should be scored assuming the vulnerable component is in that configuration.". Please also see section 2.3.3. Assume Vulnerable Configurations in the CVSS 3.1 User Guide.

In scenarios like these that is how we have been scoring issues (AC:L) as far as I have seen.

This MR came out of this discussion.

I'll open another MR to update the bounty calculator to suggest we should be scoring AC:L for scenarios like these, after this MR gets merged.

@gitlab-com/gl-security/appsec for review and feedback.

Edited Feb 23, 2023 by Rohit Shambhuni

Update CVSS scoring suggestion for vulns behind a feature flag

Merge request reports