Common Vulnerability Exposure (CVEs)

Severity: Critical to medium
Test name: Common vulnerabilities and explosures (CVEs)
Summary

Web applications comprise various components, including commercially provided and open-source ones, such as platforms, frameworks, and libraries. It is crucial to address any weaknesses in these components by updating their source code or upgrading the application's version.

Attackers typically initiate their attacks by thoroughly mapping out an application, meticulously identifying its underlying platform, dependencies, frameworks, and server setup. Armed with this knowledge, they proceed to scour publicly available resources for documented Common Vulnerabilities and Exposures (CVEs) and exploit codes that align with the specific platform or component they have identified. Subsequently, these exploits are skillfully employed to compromise the targeted application. Rather than expending efforts on crafting novel exploits, attackers often exploit existing vulnerabilities within the application or its associated components, thereby maximizing their chances of success.

Impact

A vulnerable component, such as the operating system, CMS, plugin, or library, can have varying severity impacts depending on the component and the specific vulnerability.

Location

The issue can be found in the component/platform software executable or in the component/library source code on the both server and client sides.

Remedy suggestions

Ensure that you keep your components up to date by installing the latest stable version. If updating isn't feasible, consider either removing or substituting the dependency altogether.

To avert potential problems down the line, adopt a range of precautions to oversee and respond to vulnerabilities in your components:

  • Trim away unused dependencies and features
  • Routinely inspect both client-side and server-side versions and dependencies
  • Stay vigilant by consistently monitoring sources like CVE (https://cve.mitre.org/) and NVD (https://nvd.nist.gov/) for component vulnerabilities
  • Stay informed through email alerts and obtain components exclusively from official sources, making use of secure links and giving preference to signed packages. Also, keep a close watch on components that are no longer maintained or lack security patches for older versions.
Classifications
  • CWE-79
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References