Оценка уязвимостей cvss 3.0

Can hackers use CVE to attack my organization?

The short answer is yes but many cybersecurity professionals believe the benefits of CVE outweigh the risks:

• CVE is restricted to publicly known vulnerabilities and exposures.
• It improves the shareability of vulnerabilities and exposures within the cybersecurity community.
• Organizations need to protect themselves and their networks by fixing all potential vulnerabilities and exposures while an attacker only needs to find a single vulnerability and exploit it to gain unauthorized access. This is why a list of known vulnerabilities is so valuable and an important part ofnetwork security.
• The growing agreement for the cybersecurity community to share information is reducing the attack vector of many cyber attacks. This is reflected in widespread acceptance that the CVE Board and CVE Numbering Authorities (CNAs) are key organizations in cybersecurity.

As a concrete example, many believe theransomwareWannaCry, which spread through the EternalBlue vulnerability, would have had less impact if the vulnerability was publicly shared.

Databases and collections

The MongoDB database is called cvedb and there are 11 collections:

• cves (Common Vulnerabilities and Exposure items) — source NVD NIST (JSON)
• cpe (Common Platform Enumeration items) — source NVD NIST
• cwe (Common Weakness Enumeration items) — source NVD NIST
• capec (Common Attack Pattern Enumeration and Classification) — source NVD NIST
• ranking (ranking rules per group) — local cve-search
• info (metadata of each collection like last-modified) — local cve-search
• via4 VIA4CVE cross-references.

The Redis database has 3 databases:

• 10: The cpe (Common Platform Enumeration) cache — source MongoDB cvedb collection cpe
• 11: The notification database — source cve-search

The reference database has 3 additional sources:

• Red Hat RPM to CVE database.
• Red Hat RHSA Oval database.

Приготовления

Для демонстрации уязвимости я подниму тестовое окружение. Nagios XI можно вполне легально скачать с официального сайта абсолютно бесплатно. После установки он спокойно проработает в пробном режиме в течение 60 дней. Нам этого вполне достаточно.

Решение поставляется в нескольких вариантах: в виде пакета для дистрибутивов Linux, в виде образа VHD для Windows с поддержкой аппаратной виртуализации на основе гипервизора (Hyper-V) и в формате OVF (Open Virtualization Format), который поддерживается всеми приличными приложениями для виртуализации. Мне удобнее использовать именно последний вариант.

Все манипуляции я буду проводить на последней уязвимой версии системы — 5.4.12, поэтому сначала скачаем ее образ. После этого нужно развернуть его на виртуальной машине. Для этой цели подойдут как коммерческие продукты VMware, так и бесплатные решения типа VirtualBox или того же VMware Player.

Импорт образа Nagios XI 5.4.12 в VMware Workstation

Когда импорт завершится, запустим новоиспеченную виртуалку, после непродолжительной загрузки видим приглашение авторизации в систему, IP-адрес машины и пароль рута. По дефолту это .

Экран приветствия виртуалки Nagios XI

Теперь, как и советует система, нужно перейти в браузере по указанному IP-адресу и выполнить начальную настройку.

Установка Nagios XI через веб-интерфейс

После нажатия на кнопку Install система будет готова к экспериментам.

CVE identifiers

MITRE Corporation’s documentation defines CVE Identifiers (also called «CVE names», «CVE numbers», «CVE-IDs», and «CVEs») as unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages. Historically, CVE identifiers had a status of «candidate» («CAN-«) and could then be promoted to entries («CVE-«), however this practice was ended some time ago and all identifiers are now assigned as CVEs. The assignment of a CVE number is not a guarantee that it will become an official CVE entry (e.g. a CVE may be improperly assigned to an issue which is not a security vulnerability, or which duplicates an existing entry).

CVEs are assigned by a CVE Numbering Authority (CNA); there are three primary types of CVE number assignments:

1. The Mitre Corporation functions as Editor and Primary CNA
2. Various CNAs assign CVE numbers for their own products (e.g. Microsoft, Oracle, HP, Red Hat, etc.)
3. A third-party coordinator such as CERT Coordination Center may assign CVE numbers for products not covered by other CNAs

When investigating a vulnerability or potential vulnerability it helps to acquire a CVE number early on. CVE numbers may not appear in the MITRE or NVD CVE databases for some time (days, weeks, months or potentially years) due to issues that are embargoed (the CVE number has been assigned but the issue has not been made public), or in cases where the entry is not researched and written up by MITRE due to resource issues. The benefit of early CVE candidacy is that all future correspondence can refer to the CVE number. Information on getting CVE identifiers for issues with open source projects is available from Red Hat.

Coordinación con otras organizaciones

la MITRE CVE List funciona como un sitio centralizado de vulnerabilidades con el que colaboran organizaciones acreditadas en distintos países. A estas organizaciones se les llama Autoridades de Numeración de CVE o CNA (del inglés CVE Numbering Authority) y sus funciones principales son identificar vulnerabilidades, asignar identificadores CVE, informar al MITRE de sus descubrimientos y publicar información sobre vulnerabilidades. Todo ello de forma coordinada con el MITRE. El MITRE es considerado como el CNA primario.​

Para ser CNA se tiene que acreditar haber establecido ciertas prácticas de gestión de vulnerabilidades así como una política de divulgación de vulnerabilidades adecuada. Típicamente los CNA’s que son empresas vinculadas al software, CERT’s (tanto nacionales como empresas) y organizaciones vinculadas al estudio de vulnerabilidades.​

Dentro de los CNA están los CNA Raíz que son organizaciones que cubren cierta área o nicho y controlan al resto de CNA’s dentro de ese nicho. En muchos casos, son compañías importantes, que gestionan vulnerabilidades de sus propios productos (por ejemplo, Apple y Microsoft), o están enfocados en cierto tipo de vulnerabilidad (por ejemplo, Red Hat para software libre).​

Full Listing

Click on a specific month below to see the CVEs from that time period.2020

• January
• February
• March
• April
• May
• June
• July
• August

2019

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2018

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2017

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2016

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2015

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2014

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2013

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2012

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2011

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2010

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2009

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2008

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2007

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2006

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2005

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2004

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2003

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2002

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2001

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

2000

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

1999

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

1998

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

1997

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

1996

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

1995

• January
• February
• March
• April
• May
• July
• August
• September
• October
• November
• December

1994

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

1993

• January
• February
• April
• May
• August
• September
• October
• December

1992

• February
• March
• April
• May
• June
• July
• November
• December

1991

• January
• February
• March
• May
• August
• September
• October
• December

1990

• January
• May
• August
• October
• December

1989

• January
• July
• October

1988

• October
• November

Where is the latest version of the CVE list?

The latest version of the CVE list can always be found oncve.mitre.org. While the CVE list is free, it can be hard to know which vulnerabilities affect your organization without additional tools. This is why many organizations now use tools that monitor for changes in the CVE list that affect them. 

New CVE identifiers are added daily. Look for sophisticated tools thatautomatically monitor youandyour vendors for vulnerabilities. Managingthird-party risksandfourth-party risksis a fundamental part ofinformation risk managementand yourinformation security policy. Make vulnerability management part of yourvendor risk management,third-party risk management frameworkandcyber security risk assessmentprocesses.

Что такое CVE?

Раньше в различных сервисах для указания одних и тех же уязвимостей использовались разные названия. Для устранения путаницы с названием уязвимостей компания MITRE предложила решение, независимое от различных производителей средств поиска уязвимостей. Это решение было реализовано в виде базы данных уязвимостей CVE Common Vulnerabilities and Exposures (Общие уязвимости и воздействия). Это решение позволило всем специалистам и производителям разговаривать на одном языке.

В данной базе для каждой уязвимости используется следующий атрибут записи CVE- YYYY-NNNN, где YYYY — это год обнаружения уязвимости, а NNNN — ее порядковый номер. В нашем примере уязвимость SSH V.7.7 под названием CVE-2018-15473.

Уязвимости пользуются большим спросом у хакеров и пентестеров. Они могут использоваться для взлома устаревших версий Windows, повышения привилегий и доступа к маршрутизаторам.

CVE-2020-0796 Detail

Modified

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Current Description

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’.

Analysis
Description

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’.

Severity

 

CVSS
Version 3.x
CVSS
Version 2.0

CVSS 3.x Severity and Metrics:

NIST: NVD

Base
Score:  10.0 CRITICAL

Vector: 
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.

CVSS 2.0 Severity and Metrics:

NIST: NVD

Base
Score:  7.5 HIGH

Vector: 
(AV:N/AC:L/Au:N/C:P/I:P/A:P)

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://packetstormsecurity.com/files/156731/CoronaBlue-SMBGhost-Microsoft-Windows-10-SMB-3.1.1-Proof-Of-Concept.html	Third Party Advisory
http://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html	Third Party Advisory
http://packetstormsecurity.com/files/156980/Microsoft-Windows-10-SMB-3.1.1-Local-Privilege-Escalation.html
http://packetstormsecurity.com/files/157110/SMBv3-Compression-Buffer-Overflow.html
http://packetstormsecurity.com/files/157901/Microsoft-Windows-SMBGhost-Remote-Code-Execution.html
http://packetstormsecurity.com/files/158054/SMBleed-SMBGhost-Pre-Authentication-Remote-Code-Execution-Proof-Of-Concept.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796	Patch  Vendor Advisory

Populating the database

For the initial run, you need to populate the CVE database by running:

It will fetch all the existing JSON files from the Common Vulnerabilities
and Exposures feed and the Common Platform Enumeration. The initial
Common Platform Enumeration (CPE) import might take some time depending
of your configuration.

If you want to add the cross-references from NIST, Red Hat and other vendors thanks to VIA4CVE:

NB: If you want to import your own JSON from VIA4CVE, you have to replace URL in sources.ini the VIA4 attribute with .

A more detailed documentation can be found in the Documentations folder of the project.

CVE-2020-1935 Detail

Current Description

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Analysis
Description

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Severity

 

CVSS
Version 3.x
CVSS
Version 2.0

CVSS 3.x Severity and Metrics:

NIST: NVD

Base
Score:  4.8 MEDIUM

Vector: 
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.

CVSS 2.0 Severity and Metrics:

NIST: NVD

Base
Score:  5.8 MEDIUM

Vector: 
(AV:N/AC:M/Au:N/C:P/I:P/A:N)

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html	Mailing List  Third Party Advisory
https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E	Mailing List  Vendor Advisory
https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E	Mailing List  Vendor Advisory
https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E	Mailing List  Vendor Advisory
https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E	Mailing List  Vendor Advisory
https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E	Mailing List  Vendor Advisory
https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E	Mailing List  Vendor Advisory
https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E	Mailing List  Vendor Advisory
https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E	Mailing List  Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html	Mailing List  Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html	Mailing List  Third Party Advisory
https://security.netapp.com/advisory/ntap-20200327-0005/	Third Party Advisory
https://usn.ubuntu.com/4448-1/	Third Party Advisory
https://www.debian.org/security/2020/dsa-4673	Third Party Advisory
https://www.debian.org/security/2020/dsa-4680	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Patch  Third Party Advisory

How UpGuard can help protect your organization from vulnerabilities

UpGuardhelps companies likeIntercontinental Exchange,Taylor Fry,The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA protect their data and prevent data breaches.

Ourdata breach researchhas been featured in theNew York Times,Bloomberg,Washington Post,ForbesandTechcrunch.

UpGuard BreachSightcan help combattyposquatting, preventdata breachesanddata leaks, avoiding regulatory fines and protecting your customer’s trust through cyber security ratings and continuous exposure detection. 

We can also help youcontinuously monitor, rate and send security questionnaires to your vendorsto controlthird-party riskandfourth-party riskand improve your security posture, as well asautomatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale yourvendor risk management,third-party risk managementandcyber security risk assessmentprocesses.

Cybersecurity is becoming more importantthan ever before.

CVE data fields

The CVE database contains several fields:

Description

This is a standardized text description of the issue(s). One common entry is:

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. 

This means that the entry number has been reserved by Mitre for an issue or a CNA has reserved the number. So in the case where a CNA requests a block of CVE numbers in advance (e.g. Red Hat currently requests CVEs in blocks of 500), the CVE number will be marked as reserved even though the CVE itself may not be assigned by the CNA for some time. Until the CVE is assigned, Mitre is made aware of it (i.e., the embargo passes and the issue is made public), and Mitre has researched the issue and written a description of it, entries will show up as «**RESERVED **».

References

This is a list of URLs and other information

This is the date the entry was created. For CVEs assigned directly by Mitre, this is the date Mitre created the CVE entry. For CVEs assigned by CNAs (e.g. Microsoft, Oracle, HP, Red Hat, etc.) this is also the date that was created by Mitre, not by the CNA. The case where a CNA requests a block of CVE numbers in advance (e.g. Red Hat currently requests CVEs in blocks of 500) the entry date that CVE is assigned to the CNA.

Obsolete fields

The following fields were previously used in older CVE records, but are no longer used.

• Phase: The phase the CVE is in (e.g. CAN, CVE).
• Votes: Previously board members would vote yay or nay on whether or not the CAN should be accepted and turned into a CVE.
• Comments: Comments on the issue.
• Proposed: When the issue was first proposed.

Changes to syntax

In order to support CVE ID’s beyond CVE-YEAR-9999 (aka the CVE10k problem, cf. year 10,000 problem) a change was made to the CVE syntax in 2014 and took effect on Jan 13, 2015.

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

NOTE: The variable length arbitrary digits will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNN, and so on. This also means there will be no changes needed to previously assigned CVE-IDs, which all include a minimum of 4 digits.

Зарубежные сайты для поиска уязвимостей

Теперь когда мы знаем, что такое CVE, давайте перейдем к списку лучших сайтов для поиска уязвимостей. Я намеренно начинаю обзор с зарубежных ресурсов

Рекомендую обратить внимание именно на них. Ведь информационная безопасность как и любая другая область IT требует знания английского языка

Без этого никак, и чем раньше вы начнете выходить из зоны комфорта и мучить этим свой мозг, тем лучше.

CIRCL

Центр реагирования на компьютерные инциденты CIRCL — это организация, которая фокусируется на взломах и информационной безопасности.

На сайте CIRCL представлены публикации исследований безопасности и база данных уязвимостей для поиска.

VulDB

На протяжении десятилетий специалисты VulDB работали с крупными и независимыми сообществами в сфере информационной безопасности для создания базы данных с возможностью поиска более 124000 уязвимостей.

Сотни новых уязвимостей еженедельно добавляются на сайт, которые в зависимости от серьезности получают метку (низкий, средний, высокий).

SecurityFocus

В прошлом SecurityFocus информировал о случаях взлома и публиковал всевозможные материалы по теме информационной безопасности.

В настоящее время сервис отслеживает отчеты об ошибках программного обеспечения и с 1999 года ведет архив CVE с возможностью быстрого поиска уязвимости.

40day.today

0day.today (доступный через Tor) — это база данных уязвимостей, которая также продает личные эксплойты, цена которых не превышает 5000$.

Есть несколько сообщений о мошеннических действиях с частными продажами, но несмотря на это база данных уязвимостей, доступна для бесплатного поиска и вполне законна для использования.

Rapid7

У Rapid7, создателей знаменитого фреймворка Metasploit, тоже есть свой архив уязвимостей. Однако, в отличие от других баз данных, Rapid7 очень редко использует фактический код уязвимости CVE. Вместо этого сервис предлагает советы, содержащие полезные ссылки на соответствующую документацию для исправления, а также ссылки на модули msfconsole.

К примеру, вышеупомянутую уязвимость SSH CVE-2018-15473 можно найти в msfconsole и применить с большой легкостью.

NIST

Национальный институт стандартов и технологий NIST — это одна из старейших физико-технических лабораторий в США. В настоящее время он участвует в проекте «Национальная инициатива по образованию в области кибербезопасности».

Ведет свою базу данных уязвимостей, которая открыта для публичного использования.

Packet Storm Security

Packet Storm Security не предназначен для поиска уязвимостей. На сайте Packet Storm вы можете узнавать о новостях мира информационной безопасности, читать публикации о новых уязвимостях и инструментах используемых в пентесте и в защите от компьютерных атак.

Exploit Database

База данных Exploit Database в настоящее время поддерживается организацией Offensive Security, которая специализируется на взломе Windows и безопасности веб-приложений.

В своей базе данных, доступной для поиска, на данный момент более 40000 уязвимостей. Есть также сервис Google hacking database, о котором мы рассказывали в статье Google Dorks.

Exploit Database — это очень популярный сервис, которым пользуются пентестеры и хакеры. На мой взгляд это самый удобный сервис. Найти уязвимость можно как по названию, так и по определенным категориям, которые упрощают поиск.

Vulners

Vulners, основанная Киром Ермаковым, представляет собой базу данных CVE, в настоящее время содержащую более 176500 уязвимостей. Сайт включает статистику CVE, аудитор управления уязвимостями Linux.

CVE SPLIT and MERGE

CVE attempts to assign one CVE per security issue, however in many cases this would lead to an extremely large number of CVEs (e.g. where several dozen cross-site scripting vulnerabilities are found in a PHP application due to lack of use of or the insecure creation of files in ). To deal with this there are guidelines (subject to change) that cover the splitting and merging of issues into distinct CVE numbers. As a general guideline one should first consider issues to be merged, then issues should be split by the type of vulnerability (e.g. buffer overflow vs. stack overflow), then by the software version affected (e.g. if one issue affects version 1.3.4 through 2.5.4 and the other affects 1.3.4 through 2.5.8 they would be SPLIT) and then by the reporter of the issue (e.g. Alice reports one issue and Bob reports another issue the issues would be SPLIT into separate CVE numbers). Another example is Alice reports a /tmp file creation vulnerability in version 1.2.3 and earlier of ExampleSoft web browser, in addition to this issue several other file creation issues are found, in some cases this may be considered as two reporters (and thus SPLIT into two separate CVEs, or if Alice works for ExampleSoft and an ExampleSoft internal team finds the rest it may be MERGE’ed into a single CVE). Conversely, issues can be merged, e.g. if Bob finds 145 XSS vulnerabilities in ExamplePlugin for ExampleFrameWork regardless of the versions affected and so on they may be merged into a single CVE.