Deletion of Data = Integrity Impact, Deletion of Data Availability Impact

Does Data Deletion impact Availability?

Picture this scenario:
You uncover a vulnerability that would allow an attacker to delete all files in the web server’s root directory.

How would you rate the Availability metric for this vulnerability on the CVSS calculator?

High? Low? None?

If you would have asked this question to me a few years ago, I would have answered:

High, isn’t it obvious?
This vulnerability allows an attacker to delete all files from the web server’s root directory. This would make the website unusable for other users. Hence, “High Impact” on availability.

However, let's read the definition of the Availability metric in the CVSS specification:

While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email).
https://lnkd.in/exVsP3BP

In simple terms, it means “Availability” in CVSS calculator is the availability of the underlying system/service, not the availability of data.

Now, let’s look back at the above web server file deletion example and ask ourselves this question:

Does deleting all files in the website’s root directory impact the availability of the web “service”?

It doesn’t. The web service is still running. The only difference is that it is now not serving the intended files. Hence, this vulnerability does not affect Availability, but it impacts Integrity.

So, remember this:
Deletion of Data = Integrity Impact
Deletion of Data ≠ Availability Impact

This a very common misconception. So common is this, that First[.]org has a section dedicated clarifying this in the CVSS user guide:
https://lnkd.in/eYYKdrsT

✍️ What are your thoughts?
♻️ Reshare if this hits.