[VIM] "context-dependent" and "user-assisted" terminology in CVE
Christey, Steven M.
coley at mitre.org
Wed Mar 20 12:00:08 CDT 2013
Prompted by a Twitter conversation with Jericho a little while ago, here is how CVE uses certain terms in our descriptions. We try to be consistent in this usage, although there can be exceptions.
It would be nice to get some alignment with OSVDB, especially because OSVDB seems to use "context-dependent" in a different way than CVE.
- Steve
Context-dependent
-------------------------
This term is used when the attack could be local or
remote, depending on the context in which the vulnerable code is used.
This is typically used for language interpreters and libraries, where
the attack vector is entirely dependent on the logic of the
application that is using the interpreter or library.
My initial VIM post:
http://www.attrition.org/pipermail/vim/2006-February/000538.html
CVE examples: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=context-dependent
User-assisted
-----------------
This term is used when the attack requires a victim to
INTERACTIVELY allow the attack to happen, *and* this interaction
is not part of common usage; or, when the attacker has to
passively wait for the victim to perform some action that is not
usual. Typically involves some direct social engineering.
Example: having to trick a user into clicking and dragging an icon
to a particular location, or to ignore a warning of dangerous
behavior, is user-assisted; but tricking a user into clicking a
malicious link is NOT user-assisted, since clicking on links is a
fundamental activity for surfing the web.
My initial VIM post:
http://www.attrition.org/pipermail/vim/2006-August/000968.html
CVE examples: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=user-assisted
Physically Proximate
-------------------------
Person must have physical access to the device or environment in
order to exploit the vulnerability. Examples: touching a workstation
keyboard or USB device; "shoulder surfing" to see a workstation's
display; touching the screen of a mobile device;
plugging into a serial port. Note: physical contact must be required;
thus Near Field Communications, WiFi, etc. are called
"remote" within CVE.
CVE examples: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=physically+proximate
More information about the VIM
mailing list