Beruflich Dokumente
Kultur Dokumente
Statement of Responsibility
The Report is being prepared solely for Mercedes-Benz USA, LLC (hereafter also referred to as “Mercedes-Benz
USA” or the “company”). The use may not meet the requirements or objectives of any other party.
Our work is carried out under a Statement of Work from June 29, 2018 between Deloitte GmbH
Wirtschaftsprüfungsgesellschaft (hereafter also referred to as “Deloitte”) and Mercedes-Benz USA, LLC. The scope
and objectives of this review are summarised in the Management Summary. The matters raised in this report are
only those which came to our attention during our review and are not necessarily a comprehensive statement of
all weaknesses that exist or all actions that might be taken.
No other party is entitled to rely upon the report for any purpose whatsoever and if they do choose to rely upon
the report, it will be at their own risk and without recourse to Deloitte. Should others choose to place reliance
upon any matters which we have reported, they are responsible for carrying out their own independent
investigations. Accordingly, to the fullest extent permitted by law, readers agree that Deloitte will have no duty or
liability to them in any way in connection with or arising from the report.
This work was performed under limitations of time and scope that are not potentially relevant to the actions of a
malicious attack. Our work is based at a specific point in time, in an environment where both the systems and the
threat profiles are dynamically evolving. It is therefore possible that vulnerabilities exist or will arise that were not
identified during our review and there may or will have been events, developments and changes in circumstances
subsequent to its issue which are likely to render the report’s contents wholly or partly misleading or inaccurate.
Mercedes-Benz USA, LLC | Management Summary
This document does not in any way contain an expression of an opinion or any other form of assurance on
Mercedes-Benz USA, LLC financial statements or any part thereof, nor an opinion or any other form of assurance
on Mercedes-Benz USA, LLC internal control systems or its compliance with laws, regulations, or other matters.
This report is confidential. It includes technical details of security weaknesses that if available to untrusted parties
could facilitate the execution of a breach against Mercedes-Benz USA, LLC. For that reason, access to this report
should be restricted, and the report should not be published.
Mercedes-Benz USA, LLC | Table of contents
Table of contents
Management Summary 1
Observations 3
Detailed Observations 5
Appendix A – Detailed Scope 20
Appendix B - Methodology 21
Appendix C – Testing Conditions and Limitation 22
Appendix D – Severity 23
Appendix E – List of Tools 26
Mercedes-Benz USA, LLC | Management Summary
Management Summary
Mercedes-Benz USA, LLC (hereafter also referred to as “Mercedes-Benz USA” or the “company”) engaged
Deloitte GmbH Wirtschaftsprüfungsgesellschaft (hereafter also referred to as “Deloitte”) to perform a
vulnerability assessment of the The Learning Link (Planning IT-ID APP-6552) application and its underlying host
in a QA environment. Our testing approach combines the use of automated scanning tools and manual
techniques. This assists with the identification of physical and logical security vulnerabilities, patching
deficiencies and misconfigurations, in order to make mitigation recommendations.
The results in this report are based on the analysis we performed remotely via the Internet from August 21 to
August 23, 2018. This report provides an indication of the security posture of the in-scope systems as of the
last day of the testing period.
Assessment Scope
The scope of the assessment is defined below; please see appendix for a more detailed scope:
Target Description
https://lnp- The Learning Link provides a business platform for employees to learn/study and
qa.corpinter.net/sites/LearnMB apply to internal training.
Table 1: Scope of the assessment
During this assessment, 1 high and 5 medium risk vulnerabilities were identified. These vulnerabilities could
lead to compromise of the confidentiality, integrity and availability of the data held within the The Learning Link
application.
High For further details and a more technical description of all identified
observations and our recommendations, please refer to the
Detailed Observations section and the appendix of this report,
6 which also details Deloitte’s methodology.
High Medium
Insecure Direct Object References: The web application had insecure object references. This means that
users could bypass authorization and access resources in the system directly by specific input.
Recommendation: Implement a proper authentication and authorization methods to restrict access to
sensitive system resources.
Clickjacking: We found that the application was not protected from Clickjacking attacks. During a
Clickjacking attack the original content is loaded into a hidden iframe that makes it invisible for the users.
When the user is clicking on the visible layer actually he is performing actions on the application.
Recommendation: Use the Content Security Policy (CSP) HTTP header with frame-ancestors directive to
prevent “Clickjacking” attacks. We also recommend to set the “X-Frame-Options” HTTP header with
SAMEORIGIN or DENY value as an additional layer of security.
Information Disclosure: We found that the server disclosed the deployment system version information in
the HTTP responses.
Recommendation: Disable version information in the server responses.
Weak Password Complexity: We found that the password complexity used by the application did not meet
the security good practices. The password did not require capital letters and handled numbers as special
characters.
Recommendation: Implement a password policy that ensures appropriate minimum complexity. For more
detailed recommendations refer to the respective issue or NIST Special Publication 800-63B Digital Identity
Guidelines.
Security Misconfigurations: We found that the application did not set the security related HTTP headers.
Recommendation: Set the HTTP headers stated in the Security Misconfigurations part of this document.
Information Disclosure in Error Messages: We found that the application sent back error messages to
the client, which sometimes contained valuable information for an attacker.
Recommendation: Use standard error messages without exposing any details about the application and the
deployment system.
Cacheable HTTPS Response: We found that browsers were not prohibited from caching sensitive
information returned by the web server.
Recommendation: Set the application to return caching directives instructing browsers not to store local
copies of any sensitive data.
Although the vulnerabilities identified above pose a greater risk to The Learning Link, there are other
vulnerabilities detailed in this report that Mercedes-Benz USA should consider remediating before performing a
re-test to validate whether applied fixes are effective. We estimate the effort for the re-test of the vulnerabilities
identified in this report at approximately 2 days.
It should be noted that testing was performed against a QA environment. Based the information provided, the
UAT environment was identical to the production environment at the time of testing. Our report assumes that
all observations also apply to the production environment of The Learning Link. However, the observations
identified were not verified in production. Our experience tells us that there may be slight configuration
deviations between QA and production environments. Therefore, additional or slight variations of these security
observations might exist in the production environment. We recommend Mercedes-Benz USA perform a full
setup and configuration comparison between the tested QA and the production environment to verify their
setup. Further testing conditions and limitations of the testing can be found in the appendix of this report.
Observations
The following table gives an overview of our observations from the security assessment. For detailed
descriptions of each observation, please refer to the Detailed Observations section of this document.
For further details and a more technical description of our observations and our recommendations, please refer
to the Detailed Observations section of this document.
Deloitte GmbH
Wirtschaftsprüfungsgesellschaft
Detailed Observations
The following pages contain the detailed observations
Description
The web application had insecure object references. This means that we were able to bypass authorization and
access resources in the system directly by specific input. In this example we accessed a PDF and PPTX file via
an unauthorized request. The following request-response pairs demonstrates the issue.
Request:
GET /file_source/LearnMB/DigitalAssets/2015/Coaching_for_HighPerformance_Factsheet.pdf
HTTP/1.1
Host: lnp-qa.corpinter.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Range: bytes=0-65535
Cookie: BIGipServerCMS.pool.autohaus-qa=2122653237.20736.0000
Response:
%PDF-1.5
%âãÏÓ
---Truncated---
We found the following documents by exploiting this issue. However, we emphasize, these are just examples,
and the problem should be handled generally.
https://lnp-
qa.corpinter.net/file_source/LearnMB/DigitalAssets/2015/Coaching_for_HighPerformance_Factsheet.pdf
https://lnp-
qa.corpinter.net/file_source/LearnMB/DigitalAssets/2015/Communicating_Effectively_Worksheet.pptx
The following screenshot shows the PDF which was accessed without authentication.
Figure 2: Unauthorized access to a PDF file in browser via insecure direct object reference
Impact
Successful exploitation could allow an attacker to access restricted system resources. In this case attackers can
access study materials that were meant for Daimler professionals only.
Likelihood
An unauthenticated attacker can access restricted system resources from the Internet via insecure direct object
references. It does not require moderate skills to exploit this vulnerability. For example this could be done by
using an URL fuzzer. An attacker hovewer needs to have knowledge about file naming conventions used by
Daimler.
Recommendation
We recommend Daimler to implement proper authentication and authorization methods to restrict access to
sensitive system resources.
Reference
n/a
PT-2: Clickjacking
Target(s) Vulnerability Security Misconfiguration Base Score 4.3
Type
https://lnp- Severity ● Medium
qa.corpinter.net/sites/LearnMB
Base Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Description
We found that the application was not protected from Clickjacking attacks. This attack also known as “UI
redressing attack”. During a Clickjacking attack the original content is loaded into a hidden iframe that makes it
invisible for the users. When the user is clicking on the visible layer actually he is performing actions on the
application. As a proof of concept, we were able to embed the application webpage into another website, by
loading in an iframe on a foreign website. As the following screenshot shows that the login page was embedded
to a foreign site and it remained fully functional:
Impact
An attacker might be able to access sensitive information (e.g. account credentials) and perform actions in the
application by convincing a logged in user.
Likelihood
An attacker requires network level access to the web application. Limited technical skills required to perform a
successful attack.
Recommendation
We recommend using the Content Security Policy (CSP) HTTP header with frame-ancestors directive to prevent
“Clickjacking” attacks. However, we note that older versions of the Internet Explorer than IE 15 does not
supports CSP header correctly. Therefore, we also recommend to set the “X-Frame-Options” HTTP header with
SAMEORIGIN or DENY value as an additional layer of security.
Additionally, this attack could be mitigated by implementing client-side (e.g. JavaScript) based countermeasure
in place.
Reference
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
Description
We found that the server disclosed the deployment system version information in the HTTP responses, as the
following HTTP response demonstrate:
Request:
oldPwd=W********8&newPwd=d********5&verifyPwd=d*******5&LoginAs=3&UserMode=0&Mode=0&Stage=2&r
u=&isFromProfPage=0&g_iInternal=1
Response:
HTTP/1.1 200 OK
Date: Wed, 22 Aug 2018 09:19:49 GMT
Server: Microsoft-IIS/7.5
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Wed, 22 Aug 2018 09:18:49 GMT
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Set-Cookie:
SUMTOTALAUTH=%24SumT75CNG%2bXcx%2fR3yuTCOnMcyQum34kbi03954%2f3q0cu1uLywscahg1bLnHmSJBlGwVdHiB
4Ff3kTVQ2vUioVWj03H3rfY6uOPBVKJ1JPzbQrMgEPBYuAI4qWbztZuE39vlVtjIJrC7SrxIXEPiOUR7IfPN6HRhfkeKm
hOD%2flxbnAJJnGHZDs%3d; path=/sumtotal
…
Impact
An attacker may gather information about the application and/or its environment that can be used for further
attacks (e.g. version numbers).
Likelihood
Any remote attacker may perform the attack. Limited technical skills are required.
Recommendation
We recommend disabling version information in the server responses.
Reference
n/a
Description
We found that the password complexity used by the application did not meet the security good practices. The
password did not require capital letters and handled numbers as special characters. The following request-
response pairs demonstrates the issue.
Request:
oldPwd=W********8&newPwd=dtest12345&verifyPwd=dtest12345&LoginAs=3&UserMode=0&Mode=0&Stage=2&
ru=&isFromProfPage=0&g_iInternal=1
Response:
HTTP/1.1 200 OK
Date: Wed, 22 Aug 2018 09:19:49 GMT
Server: Microsoft-IIS/7.5
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Wed, 22 Aug 2018 09:18:49 GMT
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Set-Cookie:
SUMTOTALAUTH=%24SumT75CNG%2bXcx%2fR3yuTCOnMcyQum34kbi03954%2f3q0cu1uLywscahg1bLnHmSJBlGwVdHiB
4Ff3kTVQ2vUioVWj03H3rfY6uOPBVKJ1JPzbQrMgEPBYuAI4qWbztZuE39vlVtjIJrC7SrxIXEPiOUR7IfPN6HRhfkeKm
hOD%2flxbnAJJnGHZDs%3d; path=/sumtotal
…
Impact
An attacker might be able to guess or brute-force user accounts with weak passwords and gain unauthorized
access to sensitive data or launch further attacks. The risk was increased by the fact that no brute-force
protection was implemented.
Likelihood
An attacker may succeed with a dictionary based or brute-force attack against user passwords.
Recommendation
The recommended password complexity depends on the password storage mechanism that can be
selected/implemented in the application. Make sure that a strong hashing algorithm (such as: Blowfish,
SHA256, SHA512, Oracle S type, etc.) with password salt, or a password stretching algorithm (such as:
PBKDF2, scrypt, bcrypt) is used for password storage. If such strong password storage mechanisms are not
available in the system, consider using an external authenticator service that can provide strong password
storage.
Length: The minimum length of passwords shall be 8 characters or more. If the password
storage mechanism has known weaknesses and cannot be changed, the minimum length of
passwords shall be 12 characters or more.
Complexity: Passwords shall contain characters from at least three of the four primary
categories: uppercase letters, lowercase letters, numbers, and characters. If a password
stretching algorithm is used for password storage, then this requirement is not applicable.
Dictionary and composition rules: Passwords shall not be based on values known to be
commonly-used, expected, or compromised, such as:
o Context specific words, such as the name of the company, project, or service, the
username or parts of the user’s real name, and derivatives thereof
o Passwords obtained from previous breach corpuses
o Dictionary words
o Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
o The best practice is using random generated passwords of at least 14 characters in
length.
Reference
NIST Special Publication 800-63B Digital Identity Guidelines
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf - Section 5.1.1
Description
The application did not set the “Content-Security-Policy” HTTP header. When this header is properly set, the
application is able to control and extend the browser security settings. Failure to properly configure this setting
leaves the application vulnerable to various attacks. For example, the page can be embedded into other sites,
by loading in an iframe on a foreign website. Furthermore, the application will not be able to detect policy
violations and enforce proper security policy. As a result, the application is vulnerable against “Clickjacking”
attacks (please see PT-2 part of this document). Moreover, the application did not set the “X-Frame-Options”
HTTP header. This header is able to control whether the page can be embedded in to other sites (e.g. It is
loaded to a foreign iframe). Because some browsers have not been fully support Content-Security-Policy yet,
without this header the application is vulnerable against the “Clickjacking” attack (please see PT-2 part of this
document).
The application did not set the “Strict-Transport-Security” header either. When this header is set the browser is
informed that the site and the application can be accessed only via encrypted HTTPS protocol. If the user tries
to visit the page via HTTP protocol (because of a Man-in-the-Middle attack for example), the browser
automatically falls back to HTTPS protocol. At the same time when “Strict-Transport-Security” header is set, the
browser does not allow the user to accept invalid SSL certificates.
The application did not set the “X-Content-Type-Options” header. This is an IE- and Chrome-specific header
which can protect against the so called MIME content-sniffing attacks. Content sniffing is a method used by the
browsers to determine the “real” content type of a response by looking at the content itself, instead of content-
type value of the response header. When “X-Content-Type-Options: nosniff“ is set, the browser uses the
“Content-Type” header only to determine the MIME type.
Impact
Without the “Content-Security-Policy” header an attacker might be able to access sensitive information or
perform actions in the application by using “Clickjacking” or Cross-Site Scripting (XSS) attacks and these
attacks might remain undetected. During a “Clickjacking” attack the original page is embedded into a malicious
page controlled by the attacker. The original content is loaded into a hidden iframe that makes it invisible for
the users. When the user is clicking on the visible layer actually he is performing actions on the application.
Furthermore, without the “X-Frame-Options” header, the application is not fully protected from “Clickjacking”
attacks.
If the HTTPS communication is not enforced by the “Strict-Transport-Security” header, an attacker might be
able to change the HTTPS links in the network traffic to cleartext HTTP links during a MITM attack and make the
user to use cleartext communication channel. At the same time an attacker may carry out SSL MITM against the
users, but the “Strict-Transport-Security” header makes it impossible for the users to accept the attacker’s
invalid certificates.
Without the “X-Content-Type-Options” header, if the response contains an unknown MIME type for the browser,
then some browsers try to interpret its content. If an attacker is able to inject his malicious code (e.g. HTML,
JavaScript) into the response, when the browser “sniffs” the content, it will identify it as “text/html” and run the
malicious payload. The risk is lowered by the fact that these kind of attacks works with only limited number of
browsers (e.g. Internet Explorer).
Likelihood
The missing “Content-Security-Policy” and “X-Frame-Options” HTTP headers can be exploited by anyone on the
internet by embedding the page into a malicious site or by performing Cross-Site-Scripting (XSS) attacks. Little
technical skills are required to perform a “Clickjacking” and XSS attacks.
The missing “Strict-Transport-Security” header may be exploited by an attacker performing a MITM attack. This
requires advanced technical skills and access to the network between the client and the server.
The missing “X-Content-Type-Options” header could be exploited by an attacker who is able to inject malicious
code into the network traffic. This attack requires advanced technical skills.
Recommendation
We recommend setting the “Strict-Transport-Security” header in order to mitigate the risk of Man-in-the-Middle
(MitM) attacks. We also recommend using the Content Security Policy (CSP) Level 2
(http://www.w3.org/TR/CSP2/) HTTP header by considering the following security decisions:
Using with frame-ancestors directive to prevent “Clickjacking” attacks. However, we note that
older versions of the Internet Explorer than IE 15 does not supports CSP header correctly.
Therefore, we also recommend to set the “X-Frame-Options” HTTP header with “SAMEORIGIN”
or “DENY” value as an additional layer of security.
Using the default-src directive set to none and allow those sites, which are necessary for the
application functionality (white-list based approach).
Use the script-src directive to mitigate the Cross-Site Scripting (XSS) attacks.
We also recommend setting the “X-Content-Type-Options” to “nosniff” at the web server side. We note that
Flash ignores the “Content-Type” header. Moreover, we note that limited number of browsers support this
header.
References
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet
Description
We found that the application sent back error messages to the client, which sometimes contains valuable
information for an attacker. For example such a response contained information about the used CMS
framework, Vignette (now OpenText Web Experience Management):
Request:
Response:
HTTP/1.1 200 OK
Date: Wed, 22 Aug 2018 12:14:30 GMT
X-Powered-By: Servlet/3.0
Last-Modified: Wed, 22 Aug 2018 12:14:30 GMT
ETag: "a76a5bdb-3540-4c1d-9a22-550bcbf14d9a"
Vary: *
Content-Length: 644
srvrname: bgn12_88, qbgn12
Content-Type: text/html
Content-Language: en-US
Connection: close
Impact
An attacker may gather information about the application and/or its environment that can be used for further
attacks (e.g. version numbers).
Verbose error messages may contain information which can provide an insight into the application internal
architecture, the applied software components, the developer’s variable nomenclature scheme etc. As a result,
they could help an attacker in formulating further attacks.
Likelihood
Any remote attacker may perform the attack. Limited technical skills are required.
An authenticated/unauthenticated attacker may generate error messages, which may contain sensitive
information (e.g. server version, debug data, logged in users, password hashes).
Recommendation
We recommend using standard error messages without exposing any details about the application and the
deployment system.
The application should use custom error pages for HTTP error codes (e.g. HTTP 404, HTTP 403, and HTTP 500)
and should display standardized error messages in case of application errors as well. Detailed error messages
should be logged at server side.
Reference
n/a
Description
We found that browsers were not prohibited from caching sensitive information returned by the web server.
The following screenshot shows the sensitive data cached by the browser:
Impact
Storing sensitive data in the local cache could lead to other users with physical access to the same computer
retrieving this sensitive information.
Likelihood
An attacker needs physical access to the client’s computer to gain access to sensitive cached data. Moderate
technical skills are required to perform an attack.
Recommendation
We recommend setting the application to return caching directives instructing browsers not to store local copies
of any sensitive data, by setting the following HTTP response headers:
The above mentioned HTTP response headers should be set for all user-related data and confidential content.
Reference
n/a
User Role
MB1052783 Normal user
Appendix B - Methodology
Deloitte has developed its own penetration testing methodology inspired by the OWASP, WASC and OSSTM
standards and has it customized in order to deliver a consistent and high-quality service. This methodology
follows the steps described below, and is regularly updated based on new attack techniques and vulnerabilities
that are discovered. More details on the specific security assessment activities performed during our
engagement can be found in our proposal.
While conducting an application penetration test we have applied the Deloitte testing methodology, which is
aligned with the BSI and NIST recommendation for penetration as stated in the offer. For the project we have
performed all typical tests outlined in the OWASP Testing Guide (Version 4) including but not limited to:
Deloitte’s observations are representative of the environment in scope at the time of the test. If the
environment is modified through changes in configuration, installed software packages, or application code,
then additional vulnerabilities may be introduced that the test did not identify.
The test was limited to a reasonable efforts basis and limited sample functionality on what could be achieved
within the requested test window; hence, there may be vulnerabilities that were not identified during the test.
Likewise, vulnerabilities that have been identified above may be present in other parts of the environment than
those noted.
During the test, we did not perform several tests for the following reasons:
Appendix D – Severity
This legend describes the attributes of the findings discussed in this report.
The presented results are based on the output of the applied software tools, common vulnerability databases
and our professional experience. Severity scoring is based on associated impact of vulnerability exploitability
and the authorization scope. Common Vulnerability Scoring System (CVSS) is used to calculate the severity of
the vulnerabilities.
CVSS is a free and open industry standard for assessing the severity of the security vulnerabilities. It is
managed by the Forum of Incident Response and Security Teams (https://www.first.org). The current version of
CVSS is version 3.
For all listed findings, Mercedes-Benz USA should perform their own assessment to align their information
security management risk rating methodology. Furthermore, Mercedes-Benz USA should evaluate if and how
the proposed remediation activities should be implemented. An adequate risk rating can only be performed with
internal knowledge of business requirements and organizational processes of the company.
Since new vulnerabilities within operating systems and applications are published on a daily basis, and the
configuration of the systems is subject to frequent changes, the following results can only be based on publicly
available vulnerability information and the configuration of the systems on the date of the tests. This implies
that new vulnerabilities within software products used by Mercedes-Benz USA may have been published in the
meantime, or particular weaknesses may already have been corrected.
Please note that in some instances so called “False Positives” may be listed in the report. This is because we did
not have access to all necessary system or design information. Therefore, all results must be verified in order to
confirm the rating.
Exploitability Metrics
The metric of the exploitability of a vulnerability is based on the Attack Vector (AV), Attack Complexity (AC),
Privileges Required (PR) and User Interaction. A finding’s exploitability is classified as follows:
Network (N): Non-restricted network layer access requires exploiting the vulnerability. Network is bound to
the network stack and the access path goes through network layer.
Adjacent (A): Adjacent network access requires exploiting the vulnerability. Same local IP subnets, shared
platforms or other logical connected networks are considered as adjacent network.
Local (L): Local access requires exploiting the vulnerability. The vulnerability is not bounded to the network
stack.
Physical (P): Physical access requires exploiting the vulnerability.
Low (L): Vulnerabilities that are repeatable and require no specific conditions are considered as low.
High (H): Vulnerabilities that are not easy to exploit and requires some measurable amount of effort to
exploit are considered as high.
None (N): There is no need to privilege requires to access the target, user accounts or specific conditions to
exploit vulnerabilities.
Low (L): There is need to some privilege to network the target, low-level user accounts or defined specific
conditions to exploit the vulnerabilities.
High (H): There is need to privilege access to the target, administrative accounts or other specific conditions
that are required significant privilege.
None (N): The vulnerable system can be exploited without interaction from any user.
Required (R): Successful exploitation of this vulnerability requires a user to take some action before the
vulnerability can be exploited.
Unchanged: Authorization scope is unchanged where vulnerable component and impacted component are the
same.
Changed: Authorization scope is changed where vulnerable component and impacted component are not the
same. With exploitation of the vulnerability, an attacker would have some authorization privilege beside the
scope.
Impact Metrics
The metric of the impact of a vulnerability is based on the confidentiality (C), integrity (I) and accessibility (A).
A finding’s impact is classified as follows:
High (H): There is total loss of confidentiality. The disclosed information is considered as serious loss and it
affects the scope directly.
Low (L): There is some loss of confidentiality. Some restricted information is obtained, but the attacker does
not have control over the application. The disclosed information is not considered as serious loss.
None (N): There is no loss of confidentiality within the impacted component.
High (H): There is a total loss of integrity or a complete loss of protection. The information is considered as
serious loss and it affects the scope directly.
Low (L): There is possible the modification of data but the attacker does not have control over the
consequence of a modification. The data modification is not considered as serious impact.
None (N): There is no loss of integrity within the impacted component.
High (H): There is total loss of availability, resulting in the attacker being able to fully deny access to
resources in the impacted component.
Low (L): There is reduced performance or interruptions in resource availability. Even if repeated exploitation
of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate
users.
None (N): There is no impact to availability within the impacted component.