Common Vulnerability Exposure (CVEs)

Severity: Critical to medium
Test name: Common vulnerabilities and explosures (CVEs)
Test ID: cve_test
Summary

Web applications are comprised of various components, incorporating proprietary and open-source entities such as platforms, frameworks, and libraries. Ensuring these components' security through updating their source code or the elevation to advanced application versions is paramount in mitigating vulnerabilities.

Adversaries initiate their intrusion endeavors by conducting an exhaustive analysis of the application, precisely delineating its architectural platform, dependencies, frameworks, and server architecture. Armed with this compendium of information, they methodically search public repositories for documented Common Vulnerabilities and Exposures (CVEs) and corresponding exploit codes congruent with the identified platform or component. Utilizing these vulnerabilities, adversaries adeptly execute attacks to compromise the integrity of the targeted application. Rather than investing resources in developing novel exploits, adversaries opt to exploit pre-existing vulnerabilities within the application or its ancillary components, optimizing their probability of successful exploitation.

Impact

A vulnerable component, such as the operating system, CMS, plugin, or library, can have varying severity impacts depending on the component and the specific vulnerability.

Location

The issue can be found in the component/platform software executable or in the component/library source code on the both server and client sides.

Remedy suggestions

Ensure that you keep your components up to date by installing the latest stable version. If updating isn't feasible, consider either removing or substituting the dependency altogether.

To avert potential problems down the line, adopt a range of precautions to oversee and respond to vulnerabilities in your components:

  • Trim away unused dependencies and features
  • Routinely inspect both client-side and server-side versions and dependencies
  • Stay vigilant by consistently monitoring sources like CVE (https://cve.mitre.org/) and NVD (https://nvd.nist.gov/) for component vulnerabilities
  • Stay informed through email alerts and obtain components exclusively from official sources, making use of secure links and giving preference to signed packages. Also, keep a close watch on components that are no longer maintained or lack security patches for older versions.
Classifications
  • CWE-79
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References