In this article:
Name in API: potentially_vulnerable
Decay window: 45 days
Severity: Informational (in Scoring 2.0)
High (in Scoring 3.0)
Factor: Application Security
Why this matters
We detected a product in this network with a potential vulnerability. If it is an actual vulnerability, threat actors could exploit it and launch a cyberattack.
This organization's customers, prospective partners, or insurers may want to know if the organization is aware of the potential vulnerability and how they are addressing it.
How we differentiate potential and score-impacting vulnerablities
In our recurring internet scans, we detect products running on open ports of IP addresses. We then correlate these products with any applicable common vulnerability enumerations (CVEs) in the National Vulnerability Database (NVD).
Vulnerabilities that impact your score
We flag a vulnerability that impacts your score if:
- We see a match between a product and a CVE ID.
and - The CVE applies to specific product versions.
and - We can identify that the product version matches one of the versions listed in the CVE.
The finding for a rated vulnerability appears in one of the following issue types in the Patching Cadence factor:
- High- , Medium- , Low-severity vulnerability in last observation
- High- , Medium- , Low-severity CVE Patching Cadence
You can remediate a rated vulnerability by patching it to a non-vulnerable version.
Learn more remediating and resolving rated vulnerability findings.
Potential vulnerabilities
We flag a potential vulnerability, which does not impact your score, if:
- We see a match between a product and a CVE ID.
and - We cannot identify the version of the product.
or - The CVE does not apply to specific product versions.
If we are later able to detect a vulnerable version number on the product, we then flag it as a rated vulnerability and move the finding to one of the score-impacting issue types in the Patching Cadence factor.
See potential vulnerability findings in the user interface
You can quickly determine if you or another organization has potential vulnerability findings.
Find potential vulnerabilities in the user interface the following ways:
- Go to the Application Security factor tab or Issues tab for a Scorecard and look for the Potential Vulnerability Detected issue type.
- In a Portfolio, click Filters and search for Scorecards with the Potential Vulnerability Detected issue type. Then see the findings in the Issues or Application Security factor tab for any Scorecard that matches the search.
Use the API to see potential vulnerability findings
To see any potential vulnerabilities on a Scorecard using the platform API, query the potentially_vulnerable endpoint. Try it out in our Developers' Hub.
Make sure you have an API token
Before you use the platform API, make sure you have an API token for authentication. Learn how to generate a token. You specify the token in the authorization header with the following syntax:
--header 'Authorization: Token (token)'
Specify a Scorecard to query on
For any query, specify the a Scorecard domain for the required scorecard_identifier path parameter.
Run a basic query for all findings
To find all potential vulnerabilities for that Scorecard, run a basic request, as in the following example:
curl --request GET \ --url https://api.securityscorecard.io/companies/example.com/issues/potentially_vulnerable \ --header 'Authorization: Token (token)' \ --header 'accept: application/json; charset=utf-8'
See the following example of a response. We have removed most of the entries for display purposes because the query returned 500 findings.
{ "entries": [ { "parent_domain": "example.com", "feedback": [], "count": 5, "first_seen_time": "2022-12-05T23:31:18.000Z", "last_seen_time": "2022-12-15T10:09:12.000Z", "ip": "123.45.678.91", "port": 443, "product": "F5 BIG-IP load balancer http proxy", "cve_id": "CVE-2022-1388", "issue_id": "004cf20c-f161-5113-a9f5-6da2aaced621" }, { "parent_domain": "example.com", "feedback": [], "count": 1, "first_seen_time": "2022-12-15T11:27:44.000Z", "last_seen_time": "2022-12-15T11:27:44.000Z", "ip": "123.45.678.92", "port": 22, "product": "Cisco SSH", "cve_id": "CVE-2017-6739", "banner": "SSH-2.0-Cisco-1.25\\n\\x00\\x00\\x014\\x04\\x14C\\x9E\\x86\\x0B\\x06\\x0B\\r\\xA9\\x13\\x19v-\\xCF<Y7\\x00\\x00\\x00>diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1\\x00\\x00\\x00\\x07ssh-rsa\\x00\\x00\\x00 aes1", "issue_id": "007c37fd-fb6c-5cff-a71e-813482e1f085" }, { "parent_domain": "example.com", "feedback": [], "count": 2, "first_seen_time": "2022-12-14T07:49:05.000Z", "last_seen_time": "2022-12-15T18:47:43.000Z", "ip": "123.45.678.93", "port": 2222, "product": "OpenSSH", "cve_id": "CVE-2022-42896", "banner": "cpe:/a:openbsd:openssh:8.2p1", "issue_id": "01b51349-f9f7-545c-8525-c32eb2d3cb01" },
//additional findings removed for display purposes { "parent_domain": "example.com", "feedback": [], "count": 3, "first_seen_time": "2022-11-30T23:00:46.000Z", "last_seen_time": "2022-12-15T18:41:15.000Z", "ip": "123.45.678.94", "port": 443, "product": "Microsoft IIS httpd", "cve_id": "CVE-2021-36958", "banner": "HTTP/1.1 302 Found\\r\\nCache-Control: no-cache,no-store\\r\\nContent-Type: text/html; charset=utf-8\\r\\nLocation: /error.htmlprotocols?aspxerrorpath=/\\r\\nServer: Microsoft-IIS/10.0\\r\\nX-Powered-By: ASP.NE", "issue_id": "fe5b6e7c-378d-51c2-95b1-a769f32175f3" } ] }
Returned data fields
See the following table for descriptions of returned data fields.
Field | Description |
parent_domain | Scorecard domain that you queried on. |
feedback | Brief summary indicating that the Scorecard owner resolved the finding, or that our Support team rejected the user's request to resolve it. Some examples of values are remediation and compensating control. If no resolution attempt was made yet, the field is blank. |
count | Number of findings for the vulnerability cited in the entry. |
first_seen_time | First date and time that we detected the finding. |
last_seen_time | Most recent date and time that we detected the finding. |
ip | IP address of the asset that we discovered the vulnerability on. |
port | Number of the port that we discovered the vulnerability on. |
product | Software product that we discovered the vulnerability on. |
cve_id | Common vulnerability enumeration (CVE) identifier for the potential vulnerability. See the National Vulnerability Database (NVD) for a full list of CVEs. |
banner | Metadata about the product. |
issue_id | ID that SecurityScorecard assigned to the issue finding. We display this data in the Findings table for any issue type. |
Refine your query with specific parameters
Use the following query parameters to make your search more specific and narrow down the results. See examples of requests with some of these parameters.
Use this parameter... | ...to specify... |
issue_id | ...potential vulnerabilities associated with a specific issue finding in your Scorecard. See issue_id in the preceding table. |
issue_id_in | ...potential vulnerabilities associated with any of a series of specific issue findings. Separate each ID with a comma. |
first_time_seen_from first_time_seen_to last_time_seen_from last_time_seen_to |
These parameters appear in the API reference in Developer's Hub, but they are not currently available. |
Request examples with some added query parameters
Example with issue_id_in parameter
curl --request GET \ --url 'https://api.securityscorecard.io/companies/example.com/issues/potentially_vulnerable?issue_id_in=%2520e50ab1d4-2184-50f4-8810-887d21c4c800%252Cc018762b-751a-5bdf-b321-b8350b45e617' \ --header 'Authorization: Token (token)' \ --header 'accept: application/json; charset=utf-8'
Example with first_time_seen_from and first_time_seen_to parameters
curl --request GET \ --url 'https://api.securityscorecard.io/companies/example.com/issues/potentially_vulnerable?issue_id=004cf20c-f161-5113-a9f5-6da2aaced621&first_seen_time_from=2022-12-05T23%253A31%253A18.000Z&first_seen_time_to=2022-12-05T23%253A31%253A18.000Z' \ --header 'Authorization: Token (token))' \ --header 'accept: application/json; charset=utf-8'
How you can remediate a potential vulnerability
Identify the version of the product running on the IP address listed in the Findings table of your issue type details page. Search for vulnerability advisories about that version published by the product provider or the NVD. Follow the remediation guidance of the provider or trusted industry experts.
If possible, move the server with the potentially vulnerable product behind a firewall. Threat actors continuously research product vulnerabilities to expand their attack targets. Concealing a potentially vulnerable product from the internet gives threat actors one less target.
Can you resolve it in SecurityScorecard?
The purpose of this issue type is to make VRM teams in other organizations aware of potential risks in your network. To promote a secure ecosystem, we want the findings to remain visible on your Scorecard. For that reason, we do not support resolution for this issue type.
You can comment on the issue to show other organizations that you have addressed it to protect your organization and your customer and partners. Indicate in your comment how you have addressed the finding, as with the following examples:
- You have performed remediation steps.
- You have enacted compensating controls.
- You can demonstrate that the finding is incorrect.
- The flagged IP or domain does not belong to your organization.
Note: To prevent future findings on specific assets, manage these assets in your Digital Footprint.
How to comment on an issue type
To make a comment, click Edit in the Comment on Issue section...
Then select one of the preset comments and click Save.
Or enter your own comment and click Request Approval, so that we can review the comment and then post it.
Note: If you move the potentially vulnerable product behind a firewall so that it is no longer exposed to the internet, the finding decays after 45 days and we remove it from your Scorecard.