What is included in a vendor’s vulnerabilities?

Learn about how UpGuard uncovers vendor vulnerabilities, CVSS, CVE IDs, and more.

Written by Abi Tyas Tunggal

The Vulnerabilities module in UpGuard Vendor Risk lists vulnerabilities identified through information exposed in your vendor’s HTTP headers, website content, and open ports.

As UpGuard scans from outside companies’ networks, there are some vulnerabilities we can confirm (verified vulnerabilities), but others we only know may exist based on the detected software version (unverified vulnerabilities).

When verified vulnerabilities are detected, they’ll appear in your vendor’s risk profile and are available in remediation and risk assessment workflows. You can also see which vulnerabilities are known to be actively targeted by threat actors in order to prioritize remediating those at highest risk of exploitation.

What is the difference between an unverified and verified vulnerability?

When we identify that a vendor's website is running a specific software version that has known vulnerabilities, we are often unable to verify whether the vulnerability exists. Rather, we can only verify that it may exist based on the exposed information.

This is also why unverified vulnerabilities appear as informational through other parts of UpGuard, such as a vendor's risk profile or during risk remediation workflows.

In contrast, for some vulnerabilities, we can run a specific test that is able to confirm the domain is vulnerable to that vulnerability. The details of each test are unique to each CVE.

In short, unverified vulnerabilities may be exploitable and therefore appear as informational risks while verified vulnerabilities are exploitable and have risk classifications.

How to filter vulnerabilities

To filter vulnerabilities, click Apply filters in the top right corner of your screen.

This will cause a panel to slide out from the right side of your screen. In the panel, you can filter by label, verified and/or known exploited status, CVE ID, software, and CVSS severity. When you are happy with your selection, click Apply.

What is a CVE ID?

Each vulnerability in CVE is described as a known vulnerability or exposure and is given a standard identifier number with status indicator (i.e. "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-7654321"), a brief description and references related vulnerability reports and advisories.

Each CVE ID is formatted as CVE-YYYY-NNNNN. The YYYY portion is the year the CVE ID was assigned or the year the vulnerability was made public.

Unlike vulnerability databases, CVE entries do not include risk, impact fix or other technical information.

We show each vulnerability CVE ID in the UpGuard platform.

What is CVE?

The vulnerabilities reported in your vendor’s Vulnerabilities section have been published to the Common Vulnerabilities and Exposures (CVE) database, a list of publicly disclosed vulnerabilities.

CVE was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware. MITRE is a nonprofit that operates federally funded research and development centers in the United States.

What is CVSS?

CVSS or Common Vulnerability Scoring System is a published standard developed to capture the principal characteristics of a vulnerability that produces a numerical score between 0 and 10 reflecting severity.

 

See also: