3
- Vulnerabilities & Assessment |
for
best viewing this tab should be set at a size of 75% |
|
|
|
|
|
|
|
|
|
|
|
NOTE: Assessments from basic
security checklists to in-depth penetration testing are offered by virtually
all of the vendors under Tab 1 - Research Groups |
|
return to main |
|
National Vulnerability Database |
https://nvd.nist.gov/ |
https://nvd.nist.gov/vuln/search |
contains >150,000 known vulnerabilites in hardware & software |
|
|
|
Google 0-day Tracking Worksheet - vulnerabilities detected in
attacks |
https://googleprojectzero.blogspot.com/p/0day.html |
|
|
|
DHS CISA Alerts & other products |
https://us-cert.cisa.gov/ncas/alerts |
|
|
|
MITRE Common Vulnerabilies and Exposures |
https://cve.mitre.org/ |
|
focus on metric/rating of severity ranging from 0 - 10 least to most
severe |
|
|
|
MITRE Common Weakness Enumeration |
https://cwe.mitre.org/ |
|
|
|
Bugtraq |
https://www.securityfocus.com/ |
|
|
|
Bitsight |
https://www.bitsight.com/ |
|
provide ratings from 250-900 on 20 categories of cyber security |
|
|
|
Security Scorecard |
|
|
|
|
Shodan |
https://www.shodanhq.com |
|
|
|
Nessus Vulnerability Scanner Scripting Language Plugins |
https://www.tenable.com/plugins |
for use with Nessus vulnerability
scanner to identify specific characteristics of a vulnerability |
|
|
|
nMap Nmap Scripting Engine Library |
https://nmap.org/book/nse.html |
https://nmap.org/book/nse-library.html#nse-library-list |
for use with nMap network mapper to
identify specific characteristics of a vulnerability |
|
|
|
Einstein Continuous Monitoring |
https://www.cisa.gov/publication/einstein-3-accelerated |
|
|
|
DoD HBSS |
https://en.wikipedia.org/wiki/Host_Based_Security_System |
|
|
|
See Attack Analyses Tab for links to Malware & packaged exploits |
|
|
|
DHS Computer Security Evaluation Tool (CSET) Assessment |
https://us-cert.cisa.gov/ics/Downloading-and-Installing-CSET |
|
|
|
Pacific National Lab Industrial Control Systems Assessment
Tool |
https://facilitycyber.labworks.org/assessments/fcf1.1 |
|
|
|
Google Open Source Vulnerabilities |
https://osv.dev/ |
|
|
|
|
|
|
2022 Software Common
Weaknesses Enumeration (CWE) Top 25, including the overall score of each. |
2020 Software Common
Weaknesses Enumeration (CWE) Top 25, including the overall score of each. |
2019 Software Common
Weaknesses Enumeration (CWE) Top 25, including the overall score of each. |
|
|
|
|
|
SOURCE: |
https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html |
|
SOURCE: |
https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html |
|
Source: |
https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
|
|
Rank |
ID |
Name |
Score |
|
Rank |
ID |
Name |
Score |
|
Rank |
ID |
Name |
Score |
|
|
1 |
CWE-787 |
Out-of-bounds Write |
64.2 |
|
[1] |
CWE-79 |
Improper Neutralization of
Input During Web Page Generation ('Cross-site Scripting') |
46.82 |
|
[1] |
CWE-119 |
Improper Restriction of
Operations within the Bounds of a Memory Buffer |
75.56 |
|
|
2 |
CWE-79 |
Improper Neutralization of
Input During Web Page Generation ('Cross-site Scripting') |
45.97 |
|
[2] |
CWE-787 |
Out-of-bounds Write |
46.17 |
|
[2] |
CWE-79 |
Improper Neutralization of
Input During Web Page Generation ('Cross-site Scripting') |
45.69 |
|
|
3 |
CWE-89 |
Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') |
22.11 |
|
[3] |
CWE-20 |
Improper Input Validation |
33.47 |
|
[3] |
CWE-20 |
Improper Input Validation |
43.61 |
|
|
4 |
CWE-20 |
Improper Input Validation |
20.63 |
|
[4] |
CWE-125 |
Out-of-bounds Read |
26.5 |
|
[4] |
CWE-200 |
Information Exposure |
32.12 |
|
|
5 |
CWE-125 |
Out-of-bounds Read |
17.67 |
|
[5] |
CWE-119 |
Improper Restriction of
Operations within the Bounds of a Memory Buffer |
23.73 |
|
[5] |
CWE-125 |
Out-of-bounds Read |
26.53 |
|
|
6 |
CWE-78 |
Improper Neutralization of
Special Elements used in an OS Command ('OS Command Injection') |
17.53 |
|
[6] |
CWE-89 |
Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') |
20.69 |
|
[6] |
CWE-89 |
Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') |
24.54 |
|
|
7 |
CWE-416 |
Use After Free |
15.5 |
|
[7] |
CWE-200 |
Exposure of Sensitive
Information to an Unauthorized Actor |
19.16 |
|
[7] |
CWE-416 |
Use After Free |
17.94 |
|
|
8 |
CWE-22 |
Improper Limitation of a
Pathname to a Restricted Directory ('Path Traversal') |
14.08 |
|
[8] |
CWE-416 |
Use After Free |
18.87 |
|
[8] |
CWE-190 |
Integer Overflow or Wraparound |
17.35 |
|
|
9 |
CWE-352 |
Cross-Site Request Forgery
(CSRF) |
11.53 |
|
[9] |
CWE-352 |
Cross-Site Request Forgery
(CSRF) |
17.29 |
|
[9] |
CWE-352 |
Cross-Site Request Forgery
(CSRF) |
15.54 |
|
|
10 |
CWE-434 |
Unrestricted Upload of File
with Dangerous Type |
9.56 |
|
[10] |
CWE-78 |
Improper Neutralization of
Special Elements used in an OS Command ('OS Command Injection') |
16.44 |
|
[10] |
CWE-22 |
Improper Limitation of a
Pathname to a Restricted Directory ('Path Traversal') |
14.10 |
|
|
11 |
CWE-476 |
NULL Pointer Dereference |
7.15 |
|
[11] |
CWE-190 |
Integer Overflow or Wraparound |
15.81 |
|
[11] |
CWE-78 |
Improper Neutralization of
Special Elements used in an OS Command ('OS Command Injection') |
11.47 |
|
|
12 |
CWE-502 |
Deserialization of Untrusted
Data |
6.68 |
|
[12] |
CWE-22 |
Improper Limitation of a
Pathname to a Restricted Directory ('Path Traversal') |
13.67 |
|
[12] |
CWE-787 |
Out-of-bounds Write |
11.08 |
|
|
13 |
CWE-190 |
Integer Overflow or Wraparound |
6.53 |
|
[13] |
CWE-476 |
NULL Pointer Dereference |
8.35 |
|
[13] |
CWE-287 |
Improper Authentication |
10.78 |
|
|
14 |
CWE-287 |
Improper Authentication |
6.35 |
|
[14] |
CWE-287 |
Improper Authentication |
8.17 |
|
[14] |
CWE-476 |
NULL Pointer Dereference |
9.74 |
|
|
15 |
CWE-798 |
Use of Hard-coded Credentials |
5.66 |
|
[15] |
CWE-434 |
Unrestricted Upload of File
with Dangerous Type |
7.38 |
|
[15] |
CWE-732 |
Incorrect Permission Assignment
for Critical Resource |
6.33 |
|
|
16 |
CWE-862 |
Missing Authorization |
5.53 |
|
[16] |
CWE-732 |
Incorrect Permission Assignment
for Critical Resource |
6.95 |
|
[16] |
CWE-434 |
Unrestricted Upload of File
with Dangerous Type |
5.50 |
|
|
17 |
CWE-77 |
Improper Neutralization of
Special Elements used in a Command ('Command Injection') |
5.42 |
|
[17] |
CWE-94 |
Improper Control of Generation
of Code ('Code Injection') |
6.53 |
|
[17] |
CWE-611 |
Improper Restriction of XML
External Entity Reference |
5.48 |
|
|
18 |
CWE-306 |
Missing Authentication for
Critical Function |
5.15 |
|
[18] |
CWE-522 |
Insufficiently Protected
Credentials |
5.49 |
|
[18] |
CWE-94 |
Improper Control of Generation
of Code ('Code Injection') |
5.36 |
|
|
19 |
CWE-119 |
Improper Restriction of
Operations within the Bounds of a Memory Buffer |
4.85 |
|
[19] |
CWE-611 |
Improper Restriction of XML
External Entity Reference |
5.33 |
|
[19] |
CWE-798 |
Use of Hard-coded Credentials |
5.12 |
|
|
20 |
CWE-276 |
Incorrect Default Permissions |
4.84 |
|
[20] |
CWE-798 |
Use of Hard-coded Credentials |
5.19 |
|
[20] |
CWE-400 |
Uncontrolled Resource
Consumption |
5.04 |
|
|
21 |
CWE-918 |
Server-Side Request Forgery
(SSRF) |
4.27 |
|
[21] |
CWE-502 |
Deserialization of Untrusted
Data |
4.93 |
|
[21] |
CWE-772 |
Missing Release of Resource
after Effective Lifetime |
5.04 |
|
|
22 |
CWE-362 |
Concurrent Execution using
Shared Resource with Improper Synchronization ('Race Condition') |
3.57 |
|
[22] |
CWE-269 |
Improper Privilege Management |
4.87 |
|
[22] |
CWE-426 |
Untrusted Search Path |
4.40 |
|
|
23 |
CWE-400 |
Uncontrolled Resource
Consumption |
3.56 |
|
[23] |
CWE-400 |
Uncontrolled Resource
Consumption |
4.14 |
|
[23] |
CWE-502 |
Deserialization of Untrusted
Data |
4.30 |
|
|
24 |
CWE-611 |
Improper Restriction of XML
External Entity Reference |
3.38 |
|
[24] |
CWE-306 |
Missing Authentication for
Critical Function |
3.85 |
|
[24] |
CWE-269 |
Improper Privilege Management |
4.23 |
|
|
25 |
CWE-94 |
Improper Control of Generation
of Code ('Code Injection') |
3.32 |
|
[25] |
CWE-862 |
Missing Authorization |
3.77 |
|
[25] |
CWE-295 |
Improper Certificate Validation |
4.06 |
|
|
|
|
BACK TO TOP |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|