Common Vulnerabilities and Exposures (CVE)

Glasstrail tries to detect Common Vulnerabilities and Exposures (CVEs) on your websites.

Glasstrail's detection of CVE follows the same philosophy as the rest of the product; that is, we look for issues an adversary could discover with moderate, automated investment. Our detection algorithm does not replace what might be discoverable by a full penetration test. But it is more timely, isn’t intrusive or destructive and does help round out the picture of what is visible via automated means.

What is CVE?

CVE (Common Vulnerabilities and Exposures) are publicly disclosed cybersecurity vulnerabilities, with unique identifiers. CVE is managed by the MITRE Corporation and the database is shared by several national cybersecurity services, for example NIST - National Vulnerability Database. 

CVE standardizes the identification of security threats, making it easier for people to share information and coordinate responses. 

Each CVE entry includes a unique ID, a brief description, and references to related reports and advisories. The severity of the CVE is calculated separately using a scoring system called Common Vulnerability Scoring System (CVSS). This can be used to prioritise addressing the CVE. It doesn’t necessarily map to the risk of the CVE being exploited, because that’s specific to your environment. 

CVE detection in Glasstrail

Glasstrail's detection of CVE follows the same philosophy as the rest of the product; that is, we look for issues an adversary could discover with moderate, automated investment. Our detection algorithm does not replace what might be discoverable by a full penetration test. But it is more timely, isn’t intrusive or destructive and does help round out the picture of what is visible via automated means.

How does Glasstrail’s CVE detection work?

A CVE is tied to a specific version of a software (or a range of versions). Given we already detect the technologies used on your websites, if we find a specific version number when we do this, we can check it against the CVE database. 

If we find a match, we raise a finding. Software versions need to conform to a standard called CPE (Common Platform Enumeration) which is published by NIST. Only if we can detect the CPE can we reliably check the CVE database. 

In some cases a CVE will say it applies to versions X and below.  Or versions between Y and Z. We will raise a finding in these cases as well, and let you know which versions are affected.

If we can’t detect the specific version (CPE) of software, chances are that adversaries can’t easily detect it either by automated means. 

This can be the case for a lot of modern software actually – as vendors now know that advertising a version number is risky for this specific reason, so it can be harder to detect the CVE (which is a good thing).

There are also lots of CVEs that are not related to web software, for example for desktop apps and operating systems – we don’t detect those either.

Our detection mechanism doesn’t guarantee the CVE is present on your site but it certainly warrants further investigation.

Where do I look for CVE findings?

In your Glasstrail dashboard, you'll find CVE findings in the Website security section.

We show both confirmed and potential CVE. In the case of Potential CVE, we have been unable to confirm whether the version you are running falls in the affected range, so you will need to check this. If your version is not affected, don't forget to change the status of your finding to not relevant.

Severity & CVE

• Confirmed CVE are graded as medium severity issues, but the actual severity may differ. You can review any logged vulnerability metrics (CVSS) via the link to NVD in the finding card, and make your own assessment.
• Potential CVE are graded as a low severity risk - but if you confirm that your software/hardware is affected by the vulnerability, then the severity may be higher.

Example findings