Reduce severity of java/relative-path-command

[JLLeitschuh]

Significantly reduces the severity of java/relative-path-command from 9.8 to 5.4

https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

This is the result of a conversation between myself and @JarLob that can be found in the GitHub Security Ambassadors Slack channel here: https://github-partners.slack.com/archives/C01MF7QQK3P/p1706734093860739

@JarLob's opinion was that the severity should likely be even lower than a 5.4, possibly bringing it down as much as low given the attacker would have to have significant system control to exploit this.

[atorralba]

Hey @JLLeitschuh, thanks for your contribution. I agree that this score should be lower, and while I'd use a slightly different CVSS vector, the numeric score is pretty similar — and intuitively it makes sense that this is a high or medium-severity query rather than a critical one.

possibly bringing it down as much as low given the attacker would have to have significant system control to exploit this.

It all depends on the threat model. For a program executed remotely (like a webapp) that's mostly true, but for local programs, especially those with the SUID bit set, the exploitation is much more straightforward and impactful. So I think a medium score is a good compromise.