Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Cryptographic Weakness Category #352

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add Cryptographic Weakness Category #352

wants to merge 6 commits into from

Conversation

nerdwell
Copy link

@nerdwell nerdwell commented May 2, 2023

This update:

  • Adds a new Cryptographic Weakness category detailing specific cryptography-related vulnerabilities; and
  • Deprecates the generic Broken Cryptography - Cryptographic Flaw vulnerability.

vortexau
vortexau requested changes May 2, 2023
View reviewed changes
Copy link

@vortexau vortexau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Picked up one local path that should be removed or updated to a public resource.

mappings/remediation_advice/remediation_advice.json Outdated Show resolved Hide resolved
@vortexau
Copy link

Approved to be moved into intermediate branch.

RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Depreciation of Broken Cryptography
f5b01ab 
Depreciating the Broken Cryptography category and adding Cryptographic Weakness category in its place.

As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Addition of Insufficient Entropy Subcategory and Variants
388e969 
As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Addition of Weak Hash Sub Category and Variants
c6b51ce 
As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Addition of insufficient verification of data authenticity
82a76d0 
...subcategory and variants

As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Addition of Insecure Key Generation
0818be1 
...subcategory and variants.

As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Addition of Key Reuse
8ae88ef 
...subcategory and variants.

As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Addition of Side Channel Attack
df243f8 
...subcategory and variants.

As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Added Use of Expired Cryptographic Key
2e5e3ad 
As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Adding Incomplete Cleanup of Keying Material
ce19422 
As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Added Broken Cryptography
864e8b0 
As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Adding Use of Broken Cryptographic Primitive
185b9e5 
As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
RRudder added a commit to bugcrowd/templates that referenced this pull request Aug 15, 2023
@RRudder
Adding Use of Vulnerable Cryptographic Library
e198f32 
As per the VRT update in 352 - bugcrowd/vulnerability-rating-taxonomy#352
@RRudder RRudder mentioned this pull request Aug 15, 2023
Merged
TimmyBugcrowd added a commit that referenced this pull request Oct 30, 2023
@TimmyBugcrowd
Cryptographic Weakness Category #352
249ea77
nnons pushed a commit that referenced this pull request Nov 13, 2023
@TimmyBugcrowd @amalmurali47 @jhadeepakkumar14
hypens to underscores in vrt items (#386)
967aa57 
* Updating the SSRF category

* Revert "Updating the SSRF category"

This reverts commit 785bd8b.

* Update SSRF classification from `Broken Access Control` to `Server Security Misconfiguration`

* Update SSRF mappings in CVSS V3, CWE, and Remediation Advice files

* Refactor SSRF category and split `External` variant into `GET Request Only` and `DNS Query Only`

* Update CVSS V3 mapping to include the updated mappings for the `External` SSRF variant

* PII-leakage-update

FROM:
P1 - Automotive Security Misconfiguration - Infotainment, Radio Head Unit - PII Leakage

TO:
P1 - Automotive Security Misconfiguration - Infotainment, Radio Head Unit - Sensitive data Leakage/Exposure
Varies - Sensitive Data Exposure - Disclosure of Secrets - PII Leakage/Exposure

* Update secure-code-warrior-links.json

* Update remediation_advice.json

* Update remediation_advice.json

* Update cwe.json

* Update cwe.json

* Update cwe.json

* Update cwe.json

* Update cwe.json

* Update cwe.json

* Update cwe.json

* Update remediation_advice.json

* HTTP Request Smuggling

Adding HTTP Request Smuggling as a new VRT entry.

* Update remediation_advice.json

* Update cvss_v3.json

* Failure to invalidate session on permission change

Adding Failure to invalidate session on permission change as a new VRT entry.

* Update cwe.json

* Update cwe.json

* Update remediation_advice.json

* Update cwe.json

* Deprecation of XSS on IE11

REMOVE: P4 - Cross-Site Scripting (XSS) - IE-Only - IE11

FROM: P5 - Cross-Site Scripting (XSS) - IE-Only - Older Version (< IE11)

TO: P5 - Cross-Site Scripting (XSS) - IE-Only

* Update remediation_advice.json

* LDAP Injection

Adding LDAP Injection as a new VRT entry.

* Update cwe.json

* Update remediation_advice.json

* Update cvss_v3.json

* HTML-Injection

Adding the category below to VRT:
P5 - Server-Side Injection - Content Spoofing - HTML Content Injection

* SSRF External Low Impact

* new IDOR variants

new IDOR variants

* LDAP Injection (#367)

* Update vulnerability-rating-taxonomy.json

* Update cvss_v3.json

* Update cvss_v3.json

* New Changes LDAP Injection

* Cryptographic Weakness Category #352

* New changes Cryptographic Weakness category

* json parse error fix (#380)

* hyphens to underscores in vrt items

* Update remediation_advice.json

* Update remediation_advice.json

---------

Co-authored-by: Amal Murali <amalmurali47@gmail.com>
Co-authored-by: Deepak Kumar Jha <Deepak.jha@bugcrowd.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vortexau vortexau vortexau requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nerdwell @vortexau @TimmyBugcrowd