[Tenable Vuln Management]: validation error for Vulnerability "cvss3_attack_vector" Input

[romain-filigran]

Description

Some errors are observed when ingesting findings from Tenable Vulnerability Management solution.

Tenable uses “Adjacent Network” as the value for the CVSS V3 attack vector, which does not appear to be authorized.

Allow this value or be less strict about the possible values for this field, given that no control has yet been implemented on the platform side.

Traceback (most recent call last): File "/opt/opencti-connector-tenable-vuln-management/tenable_vuln_management/connector.py", line 195, in _process self.converter_to_stix.process_vuln_finding( File "/opt/opencti-connector-tenable-vuln-management/tenable_vuln_management/converter_to_stix.py", line 430, in process_vuln_finding vulnerability_related_objects = self.process_plugin(vuln_finding.plugin) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/opencti-connector-tenable-vuln-management/tenable_vuln_management/converter_to_stix.py", line 392, in process_plugin vulnerabilities = self._make_vulnerabilities(plugin=plugin) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/opencti-connector-tenable-vuln-management/tenable_vuln_management/converter_to_stix.py", line 385, in _make_vulnerabilities [Vulnerability(name=cve, **base, **details) for cve in plugin.cve] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.12/site-packages/pydantic/main.py", line 214, in __init__ validated_self = self.__pydantic_validator__.validate_python(data, self_instance=self) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pydantic_core._pydantic_core.ValidationError: 1 validation error for Vulnerability cvss3_attack_vector Input should be 'NETWORK', 'N', 'Network', 'ADJACENT', 'A', 'Adjacent', 'LOCAL', 'L', 'Local', 'PHYSICAL', 'P' or 'Physical' [type=literal_error, input_value='Adjacent Network', input_type=str] For further information visit https://errors.pydantic.dev/2.10/v/literal_error

Environment

OpenCTI version: 6.5.4

Additional information

Screenshots (optional)

[flavienSindou]

The specification of CVSS V3 [consulted on March 7th, 2025] seems rather clear on this:

When deciding between Network and Adjacent, if an attack can be launched over a wide area network or from outside the logically adjacent administrative network domain, use Network. Network should be used even if the attacker is required to be on the same intranet to exploit the vulnerable system (e.g., the attacker can only exploit the vulnerability from inside a corporate network).

And this does not appear to change in V4.0

Wouldn't it be misleading to allow this clearly anti-specification value rather than the current behavior : skipping the corrupted item and logging the related message ?

It might be possible than the observed Adjacent Network is in fact a CVSS V2 value (see V2 specification). In this case, we have already discussed this topic, and you ultimately stated that no conversion should be attempted from v2 to v3.