CTI: Creating a proof of concept question

Immerser

2 months ago

In our experience, the CVSS scoring system can feel a bit arbitrary and not wholly accurate when it comes to things like attack complexity. An attack complexity of "low" suggests that you don't need any special conditions to be met, which technically this doesn't.

A special condition could be that the server has to be configured in a very particular way, or the user needs to do a very specific thing to make that vulnerability possible—but that's not the case here. The vulnerability is technically complex to PoC, but it isn't overly complicated.

If I could change the CVSS scoring system to be what I wanted, this vulnerability would be of Medium complexity because it's not trivial, but also doesn't require a bunch of steps in a complex attack chain to exploit.

A high complexity vulnerability might require you to exploit a chain of related vulnerabilities to get to the link in the chain you actually wanted to exploit in the first place.

Basically, the scoring could be based on "feels" and very much on the people making the assessment. If I am an expert in writing PoCs for XYZ appliances, I might mark this vulnerability as a low-complexity one.

I hope this helps you

Forum Discussion

Featured Places

Community Forum

Related Content

Operational CTI: Creating a Proof of Concept

How to Answer a Question

How to Ask a Question

Practical Malware Analysis: Static Analysis question 18

Autopsy Ep 3 question 5

Recent Discussions

Immersive lab Ghidra, Ep2.

Welcome to all our new members!

We're back!

Weekly welcome

Hacking tools