cvss 2.2.0

Common Vulnerability Scoring System parser/serializer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

//! Attack Vector (MAV)

use crate::{
    Error, Result,
    v4::metric::{Metric, MetricType},
};
use alloc::borrow::ToOwned;
use core::{fmt, str::FromStr};

/// Attack Vector (MAV) - CVSS v4.0 Environmental Metric Group
///
/// Described in CVSS v4.0 Specification: Section 4.2
///
/// > This metric reflects the context by which vulnerability exploitation is
/// > possible. This metric value (and consequently the resulting severity) will
/// > be larger the more remote (logically, and physically) an attacker can be
/// > in order to exploit the vulnerable system. The assumption is that the
/// > number of potential attackers for a vulnerability that could be exploited
/// > from across a network is larger than the number of potential attackers
/// > that could exploit a vulnerability requiring physical access to a device,
/// > and therefore warrants a greater severity.
#[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)]
pub enum ModifiedAttackVector {
    /// Physical (P)
    ///
    /// > The attack requires the attacker to physically touch or manipulate the
    /// > vulnerable system. Physical interaction may be brief (e.g., evil maid
    /// > attack1) or persistent. An example of such an attack is a cold boot
    /// > attack in which an attacker gains access to disk encryption keys after
    /// > physically accessing the target system. Other examples include
    /// > peripheral attacks via FireWire/USB Direct Memory Access (DMA).
    Physical,
    /// Local (L)
    ///
    /// > The vulnerable system is not bound to the network stack and the
    /// > attacker’s path is via read/write/execute capabilities. Either: the
    /// > attacker exploits the vulnerability by accessing the target system
    /// > locally (e.g., keyboard, console), or through terminal emulation
    /// > (e.g., SSH); or the attacker relies on User Interaction by another
    /// > person to perform actions required to exploit the vulnerability (e.g.,
    /// > using social engineering techniques to trick a legitimate user into
    /// > opening a malicious document).
    Local,
    /// Adjacent (A)
    ///
    /// > The vulnerable system is bound to a protocol stack, but the attack is
    /// > limited at the protocol level to a logically adjacent topology. This
    /// > can mean an attack must be launched from the same shared proximity
    /// > (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local
    /// > IP subnet), or from within a secure or otherwise limited
    /// > administrative domain (e.g., MPLS, secure VPN within an administrative
    /// > network zone). One example of an Adjacent attack would be an ARP
    /// > (IPv4) or neighbor discovery (IPv6) flood leading to a denial of
    /// > service on the local LAN segment (e.g., CVE-2013-6014).
    Adjacent,
    /// Network (N)
    ///
    /// > The vulnerable system is bound to the network stack and the set of
    /// > possible attackers extends beyond the other options listed below, up
    /// > to and including the entire Internet. Such a vulnerability is often
    /// > termed “remotely exploitable” and can be thought of as an attack being
    /// > exploitable at the protocol level one or more network hops away (e.g.,
    /// > across one or more routers). An example of a network attack is an
    /// > attacker causing a denial of service (DoS) by sending a specially
    /// > crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
    Network,
    /// Not Defined (X)
    ///
    /// > The metric has not been evaluated.
    NotDefined,
}

impl Default for ModifiedAttackVector {
    fn default() -> Self {
        Self::NotDefined
    }
}

impl Metric for ModifiedAttackVector {
    const TYPE: MetricType = MetricType::MAV;

    fn as_str(self) -> &'static str {
        match self {
            ModifiedAttackVector::NotDefined => "X",
            ModifiedAttackVector::Network => "N",
            ModifiedAttackVector::Adjacent => "A",
            ModifiedAttackVector::Local => "L",
            ModifiedAttackVector::Physical => "P",
        }
    }
}

impl fmt::Display for ModifiedAttackVector {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{}:{}", Self::name(), self.as_str())
    }
}

impl FromStr for ModifiedAttackVector {
    type Err = Error;

    fn from_str(s: &str) -> Result<Self> {
        match s {
            "X" => Ok(ModifiedAttackVector::NotDefined),
            "N" => Ok(ModifiedAttackVector::Network),
            "A" => Ok(ModifiedAttackVector::Adjacent),
            "L" => Ok(ModifiedAttackVector::Local),
            "P" => Ok(ModifiedAttackVector::Physical),
            _ => Err(Error::InvalidMetricV4 {
                metric_type: Self::TYPE,
                value: s.to_owned(),
            }),
        }
    }
}