v1.15 changes

[abhinav-nain]

Description

VRT Related changes

Added

• Decentralized Application Misconfiguration - Insecure Data Storage - Plaintext Private Key - P1
• Decentralized Application Misconfiguration - Insecure Data Storage - Sensitive Information Exposure - Varies
• Decentralized Application Misconfiguration - Improper Authorization - Insufficient Signature Validation - Varies
• Decentralized Application Misconfiguration - DeFi Security - Flash Loan Attack - Varies
• Decentralized Application Misconfiguration - DeFi Security - Pricing Oracle Manipulation - Varies
• Decentralized Application Misconfiguration - DeFi Security - Function-Level Accounting Error - Varies
• Decentralized Application Misconfiguration - DeFi Security - Improper Implementation of Governance - Varies
• Decentralized Application Misconfiguration - Marketplace Security - Signer Account Takeover - P1
• Decentralized Application Misconfiguration - Marketplace Security - Unauthorized Asset Transfer - P1
• Decentralized Application Misconfiguration - Marketplace Security - Orderbook Manipulation - P1
• Decentralized Application Misconfiguration - Marketplace Security - Malicious Order Offer - P2
• Decentralized Application Misconfiguration - Marketplace Security - Price or Fee Manipulation - P2
• Decentralized Application Misconfiguration - Marketplace Security - OFAC Bypass - P3
• Decentralized Application Misconfiguration - Marketplace Security - Improper Validation and Checks For Deposits and Withdrawals - Varies
• Decentralized Application Misconfiguration - Marketplace Security - Miscalculated Accounting Logic - Varies
• Decentralized Application Misconfiguration - Marketplace Security - Denial of Service - Varies
• Decentralized Application Misconfiguration - Protocol Security Misconfiguration - Node-level Denial of Service - P1
• Protocol Specific Misconfiguration - Frontrunning-Enabled Attack - P2
• Protocol Specific Misconfiguration - Sandwich-Enabled Attack - P2
• Protocol Specific Misconfiguration - Misconfigured Staking Logic - Varies
• Protocol Specific Misconfiguration - Improper Validation and Finalization Logic - Varies
• Smart Contract Misconfiguration - Reentrancy Attack - P1
• Smart Contract Misconfiguration - Smart Contract Owner Takeover - P1
• Smart Contract Misconfiguration - Uninitialized Variables - P1
• Smart Contract Misconfiguration - Unauthorized Transfer of Funds - P1
• Smart Contract Misconfiguration - Integer Overflow / Underflow - P2
• Smart Contract Misconfiguration - Unauthorized Smart Contract Approval - P2
• Smart Contract Misconfiguration - Irreversible Function Call - P3
• Smart Contract Misconfiguration - Function-level Denial of Service - P3
• Smart Contract Misconfiguration - Malicious Superuser Risk - P3
• Smart Contract Misconfiguration - Improper Fee Implementation - P3
• Smart Contract Misconfiguration - Improper Use of Modifier - P4
• Smart Contract Misconfiguration - Improper Decimals Implementation - P4
• Smart Contract Misconfiguration - Inaccurate Rounding Calculation - Varies
• Smart Contract Misconfiguration - Bypass of Function Modifiers & Checks - Varies
• Zero Knowledge Security Misconfiguration - Missing Constraint - Varies
• Zero Knowledge Security Misconfiguration - Mismatching Bit Lengths - Varies
• Zero Knowledge Security Misconfiguration - Misconfigured Trusted Setup - Varies
• Zero Knowledge Security Misconfiguration - Missing Range Check - Varies
• Zero Knowledge Security Misconfiguration - Improper Proof Validation and Finalization Logic - P1
• Zero Knowledge Security Misconfiguration - Deanonymization of Data - P1
• Blockchain Infrastructure Misconfiguration - Improper Bridge Validation and Verification Logic - Varies
• Broken Authentication and Session Management - SAML Replay - P5

Changed

FROM:

• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Iterable Object Identifiers - P1
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Edit/Delete Sensitive Information/Iterable Object Identifiers - P2
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information/Iterable Object Identifiers - P3
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID) - P4
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Non-Sensitive Information - P5

TO:

• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Iterable Object Identifiers) - P1
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify Sensitive Information(Iterable Object Identifiers) - P2
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Sensitive Information(Iterable Object Identifiers) - P3
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID) - P4
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Non-Sensitive Information - P5

Other

• CVSS Score correction for Server Security Misconfiguration - Mail Server Misconfiguration - Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain - P4.
• All JSONs, i.e., VRT and its mapping JSONs are now alphabetically sorted.
• Internal library changes to add a new helper script that aids in sorting the JSONs.

Checklist:

• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I have added entries to CHANGELOG.md and marked it Added/Changed/Removed
• I have not incremented version.rb