Vulnhub:reporting vulnerabilities and CVSS scoring

Hello everyone, I wish you find success in this process :grin:

What happens

I need clarification regarding the context to calculate CVSSv3 and the correct way to report Vulnhub challenge vulnerabilities.

Regarding the context, I mean that if the vulnerable machine should be considered to be a client, if that is the case, I have to assume that it is in a private network, it is a machine exposed to the Internet, etc., or you have to take it for what it is a machine connected to the local network intentionally vulnerable.

What do you understand or find about that problem

According to the documentation and a few posts in this forum, for each vulnerability found on a machine, a new .feature and .yml file must be created inside the corresponding folder named by the TEO and CWE. But my confusion starts when I see that merge requests with solutions of machines which includes all vulnerabilities in a single folder and a single .feature file have been accepted. Which implies that it is a correct way to upload solutions.

If this is the case, that a feature can contain all the vulnerabilities of the machine, I need clarification regarding how to classify the CVSS that usually only describes a single vulnerability, and in these cases, multiples are being evaluated; the closest thing is to use Vulnerability Chaining, which would imply that the impact is always reported as high on confidentiality, integrity and availability since usually, the end goal is to get root.

Did you try any workaround? What did you do?

I have read the documentation, and I have searched the forum, but I can’t find a satisfactory answer since I could interpret it my way, but I must report it in the way you expect.

I need help with

I need help clarifying the previously mentioned topics.