So I'm looking at scoring a vulnerability, and I'm waffling on how to handle Scope and Confidentiality impact.
If scope is changed, isn't confidentiality-impact necessarily changed to at least Low? If I can get into a scope I shouldn't have access to, I can definitely get information I shouldn't have access to, correct?
Hmm, I'm trying to think up a counter-example. Say you have a blind SSRF -- I can cause the server to send a request of my choosing to a host of my choosing within its LAN, but I can't see the response. That's definitely a scope change because I'm jumping from the host I'm allowed to talk to to one that I'm not. But it's not a confidentiality issue because I can't get any information out.
