Formalize CVSS "Privileges Required" level for XWiki advisories

Hi everyone,

so in order to avoid ambiguities, I’d like that we formalize the different concepts used in CVSS calculator within XWiki vocabulary, starting with the “Privileges Required” concept which is a bit blurry.

For CVSS there’s only 3 levels for Privileges Required: None, Low or High.
Note that in the following when I’m talking about “standard XWiki right” I mean the right scheme that is bundled by default.

I propose the following matrix:

  • None: Apply for any vulnerability that might be done with Guest user with standard XWiki right, AND with Guest user with Comment right as it’s a supported UC in XWiki which is supposed to prevent giving more rights to Guest
  • Low: Apply for any vulnerability that might be done with registered users with standard XWiki right (note that it includes Script right for XWiki < 14.10)
  • High: Apply for any vulnerability that involves more right than the standard XWiki right (can be allowing Script right for XWiki 14.10+, or Delete on the whole wiki, admin on a space etc)

I propose to document this in our policy. wdyt?

And the first things is to clarify what “by default” means :slight_smile:

I assume you are talking about the right schema which is coming with the XWiki Standard Flavor (which is different from what you have in an empty wiki, even if becoming closer after 14.10).

  • Low: Apply for any vulnerability that might be done with registered users with standard XWiki right (note that it includes Script right for XWiki < 14.10)

So if I understand well, having script right is low currently (I assume most known vulnerabilities affect XWiki < 14.10 currently) which, I think, is quite different from what we did so far. Now what is not very clear for me is which branches we should take into account for this grade, only supported branches ? All affected branches ?

Indeed I forgot about the empty wiki case, and I was referring to XWiki Standard Flavor.

Yes, we created advisories thinking that Script right should be High as it’s an important right, but I’m now thinking we might have been wrong by doing that since it’s a right allowed by default in older versions of XWiki so it might be considered as a Low privilege required for those.

Just to be sure, your question is: what should be the level if an advisory implies to have script right and impacts both XWiki 13.10 and XWiki 15.0?

My answer is that the worst case scenario always wins so 13.10 impact is worst as Script right is allowed, so it’s Low privilege required.

It’s close, but my real question would be better expressed with the following example: in one month 14.10.x will be the new LTS which means that we won’t have any supported branch in which users have script right by default, from there should we take into account only supported/fixed branches or all affected branches ?

Hmmm that’s a good one. I’m not sure. I think I’d say “All affected branches”. So if I take my example now or in one month it would have same severity. Now if my example would affect only 14.10 it would be Low.

In some cases, we have affected versions that didn’t even have the concept of a script right. I don’t think we should consider all versions but just those that we support when calculating the severity. And yes, fixing one issue (or implementing a change) can affect the severity of other issues as it may become more difficult to exploit it.

So +1 for the proposed matrix. What I would document is that the HTML converter allows executing XWiki syntax for guests and thus issues involving macros may fall into the first category even if this macro isn’t working in restricted mode in comments.

Should we also apply this matrix to existing advisories, at least to unpublished advisories?

Now documented in https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/#HBestpracticesforcomputingCVSS

1 Like