6

In CVSS v3, the "scope" indicates whether a vulnerability in an application impacts resources beyond its means. It can have the values "changed" or "unchanged".

I don't fully understand when the scope is changed. For example, in the CVSS examples, an XSS has scope changed because a vulnerability in the application impacts the user's browser. But with XSS you can still only run Javascript within the application context, something which the application could do in the first place. It doesn't seem to me that this impacts resources beyond its means.

And the example CSRF vulnerability has scope unchanged, even though just like the XSS it triggers behavior in the browser.

What does it mean when the scope is changed or unchanged?

It seems from the documentation that the scope is changed when the vulnerability traverses authorization authorities. What is an "authorization authority"?

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 1
    [This article](https://www.riskbasedsecurity.com/2017/02/cvssv3-new-system-next-problem-scope/) explains more about scope in CVSS3, and left me with even more questions. – Sjoerd Jun 06 '17 at 13:05
  • 2
    I suppose that an "authorization authority" is one specific part of your whole system that verifies and validates some input. It checks permissions and grants access to e.g. a resource where one should have access to. Let us assume that you manage to get around one "authorization authority" that would possibly not grant you access to a resource. Then you step into another part of the system that is ruled by another authorization authority that might verify and validate your input in another way. I suppose that is how one "changes the authorization authority". – anon Jun 06 '17 at 13:16
  • 1
    I'm trying to understand the 'Scope' of an XXE which allows network calls to other nodes. Most of the XXE CVEs out there treat scope as unchanged. But shouldn't we treat an operating system as a 'Security Authority', and fetching a resource under the control of another OS as a change of scope? 'Scope' has a big impact on the CVSS score. So, I'm trying to get it right. – drox Apr 22 '20 at 14:20

1 Answers1

1

A XSS attack occurs when you send input to the server and the server returns your input as a response without validating it. In this case the vulnerability is on the server webpage (lack of validation) and this webpage is your scope authority. However, the attack doesn't compromise the webpage itself. It compromises the user's browser. This is where the scope change is occurring. In a CSRF attack,the vulnerability is again on the webpage (no authorization tokens) but in this case the attack doesn't compromise the user's browser, it compromises just the particular webpage with the vulnerability, because a crafted request will only work on the specific website for which it was crafted, thus the scope is unchanged. (the vulnerability and the compromise are in the same component). I think anon in his comment explained perfectly what the authorization authorization authority is. But hopefully this will give you more clarity.

Kotzu
  • 944
  • 7
  • 10