How to assess the Privilege Required?

Question

I am calculating the CVSS score for an issue, and I am confused about the Privileges Required (PR).

The issue is, for a client desktop app that connects to a server, the logged in user allows debugging, the JWT token of the user will be logged on his workstation. Now that it is on the workstation, anyone who has access to the workstation, will be able to get the token from the file where the JWT token.

For this what the PR value would be? I consider it low, as anyone who can access the workstation can grab the token. Someone told me it should be high because the user should be logged in. So which one is right?

None (N)    The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Low (L)     The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
High (H)    The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files.

Answer 1

According to the CVSS specification, the Privileges Required metric is defined as follow:

• None: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
• Low: The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
• High: The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files.

What you have to be precise about is which vulnerability you are reporting, and the scope of it. It is not very clear whether the workstation is in the scope of your vulnerability or not.

Is the vulnerability only about the exposition of a debug function that allows the JWT to be exported? Or is it about the potential access to sensitive information present on the workstation?

I would assume it is the former, and that the workstation is not part of your scope. I assume that any client application, regardless of whether it is on a specific workstation, would be vulnerable.

So your justification becomes off-topic, because you mention the workstation. Access to the workstation is irrelevant in this case.

The PR metric is only interested in the privileges the attacker needs.

In your case, the attacker needs to be logged in as a user of your application. So we can rule out the None level.

The only question left is whether it is Low or High. With your given context, it seems that any authenticated user can export the token, so the metric level would be Low (with the rationale that there is no need to be an administrator of the application to retrieve a token).

And just for completeness, the following justification:

Someone told me it should be high because the user should be logged in.

is false. Again, in the specification, the distinction between the Low and High levels is about the difference in privileges. Being logged in only raises the level from None to Low, not High.