These docs are for v1.1. Click to read the latest docs for v1.2.

Common Vulnerability Exposure (CVEs)

Severity: Critical to medium
Test name: Common vulnerabilities and explosures (CVEs)
Summary

Web applications are typically made up of different components, some of which are commercially provided while others are open-source. These components encompass platforms, frameworks, and libraries. At times, these components may have weaknesses that need to be addressed by either updating the component's source code or upgrading the application's version.

The process of attacking usually starts with attackers mapping out an application to figure out its underlying platform, dependencies, frameworks, and server setup. Armed with this information, they can then search for publicly documented Common Vulnerabilities and Exposures (CVEs) and exploit codes that match the specific platform or component they've identified. These exploits are then applied to the targeted application. Instead of crafting new exploits from scratch, attackers frequently make use of existing vulnerabilities within the application or its associated components.

Impact

A vulnerable component, such as the operating system, CMS, plugin, or library, can have varying severity impacts depending on the component and the specific vulnerability.

Location

The issue can be found in the following paths:

  • component/platform software executable
  • component/library source code on the both server and client sides
Remedy suggestions

Ensure that you keep your components up to date by installing the latest stable version. If updating isn't feasible, consider either removing or substituting the dependency altogether.

To avert potential problems down the line, adopt a range of precautions to oversee and respond to vulnerabilities in your components. Trim away unused dependencies and features. Routinely inspect both client-side and server-side versions and dependencies. Stay vigilant by consistently monitoring sources like CVE (https://cve.mitre.org/) and NVD (https://nvd.nist.gov/) for component vulnerabilities. Stay informed through email alerts and obtain components exclusively from official sources, making use of secure links and giving preference to signed packages. Also, keep a close watch on components that are no longer maintained or lack security patches for older versions.

Classifications
  • CWE-79
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References