1

I am curious about the Integrity metric in CVSS 3.1.

Low is:

"Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component."

High is:

"There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component."

With that description, I assumed that the Integrity of parameter tampering is Low because we only can modify some data on a given parameter. But many security vendors give High value Integrity on parameter tampering.

Help me to understand parameter tampering given High Integrity. Or, can I get some examples of vulnerabilities that have Low Integrity?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Problem Child
  • 19
  • 3
  • "we only can modify some data on a given parameter" -- what's an example of parameter tampering where you only have access to some of a given parameter? – schroeder Sep 25 '21 at 08:01
  • lets say it is price price tampering that we can modify price value when check out – Problem Child Sep 25 '21 at 08:30
  • Then that field is fully tamperable, right? You can't tamper with only part of the parameter, as you state, – schroeder Sep 25 '21 at 09:38

1 Answers1

2

This is an impact score. What matters is what the attacker can do by exploiting the vulnerability. It mostly doesn't matter by what “amount” the attacker can change the parameter: you need to look at the possible consequences of this change.

For example, if the attacker can flip the HasAdminPrivileges from 0 to 1, this is a high-impact integrity vulnerability, even though it's only a 1-bit change.

Modifying the price value at checkout would be another example of high impact. If a customer can get products for free by setting the price to 0, that's a major loss of income for the business, so it's a high impact.

As an example of a low-impact vulnerability, suppose a vendor offers customers a discount on their birthday: 10% off all purchases for 24 hours. The birthday discount uses the customer's address to determine the timezone and the customer can change their address at any time. A customer who rotates their timezone from eastern Kiribati to London to inhabited US Pacific territories could benefit from the discount for 50 hours. This is a breach of the integrity of the birthday parameter, since it ends up covering a time period that is not what was intended. The business can lose intended income, but the impact is very minor since it's only a small discount applied for slightly longer than intended. It's probably a vulnerability that the business would not want to fix since this fix is likely to impact customers who are moving and do need to change their address.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179