[GHSA-fqx8-v33p-4qcc] Revising CVSS 3.x Rating of Availability from High (H) to None (N)

[lucia-di-lammermoor]

Summary

The Availability (A) rating of CVE-2022-23638 / GHSA-fqx8-v33p-4qcc should be updated from High (H) to None (N). While the XSS vulnerability enables attackers to execute malicious code in users’ browsers, it does not impact resource availability, degrade performance, or prevent legitimate users from accessing the service.

GHSA Description

SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.

CVSS 3.x Specifications

Metric Value	Description
High (H)	There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Low (L)	Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.
None (N)	There is no impact to availability within the impacted component.

Supporting Examples

The following CVEs on PHP packages have all rated A:N:

• CVE-2023-49146 / GHSA-2ghm-r75j-pjx2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

  DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG document because of mishandling of comments and greedy regular expressions.

• CVE-2019-16126 / GHSA-6268-v434-45m5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

  Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images.

• CVE-2020-11070 / GHSA-59cf-m7v5-wh5w (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

  Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting.
  (END)

[JonathanLEvans]

Hi @lucia-di-lammermoor, while general convention is score XSS vulnerabilities with C:L/I:L/A:N, there are reasonable arguments that availability can be affected. For example, XSS attacks have been used to run cryptominers, which would impact performance.