Skip to main content

Address score-impacting CVEs in your Scorecard

Mark Glinski
  • Updated

In this article:

    As of the August, 2022, scoring update, all low-, medium-, and high-severity Common Vulnerability Enumerations (CVEs) that we discover in your domains will impact your Scorecard score. Issue types that list the CVEs are grouped according to CVE severity levels that correspond to their Common Vulnerability Scoring System (CVSS) scores.

    Note: SecurityScorecard bases its score mapping on CVSS version 2.0, which is more widely adopted than version 3.1.

    Use this article to help you identify, remediate, and resolve CVE-related issue types in your Scorecard.

    Find issue types with score-impacting CVEs

    Check your Scorecard for the following issue types:

    Issue type

    Description

    Factor

    CVSS v2.0
    score range

    High-Severity Vulnerability in Last Observation

    (In API: service_vuln_host_high)

    These are CVEs we find by scanning the entire internet by IP.


    Examples:

    CVE-2018-16844

    CVE-2019-20372

    CVE-2018-16843

    Patching Cadence 

    (Scoring weight: Low)

    7.0-10

    Medium-Severity Vulnerability in Last Observation

    (In API: service_vuln_host_medium)

    4.0-6.9

    Low-Severity Vulnerability in Last Observation

    (In API: service_vuln_host_low)

    0.0-3.9

    High-Severity Content Management System Vulnerabilities Identified

    (In API: web_vuln_host_high)

    These are CVEs in applications such as Wordpress or Drupal, and their plug-ins, which support the creation and modification of digital content through a common user interface.

     


    Examples:

    CVE-2018-7600

    CVE-2014-3704

    CVE-2015-6659

    Application Security

    (Scoring weight: Medium)

    7.0-10

    Medium-Severity Content Management System Vulnerabilities Identified

    (In API:
    web_vuln_host_medium)

    4.0-6.9

    Low-Severity Content Management System Vulnerabilities Identified

    (In API:     web_vuln_host_low)

    0.0-3.9

    High-Severity CVEs Patching Cadence

    (In API: patching_cadence_high)

    These issue types  show CVEs that have not that have not been resolved in the Scorecard longer than 45 days after the CVE was published.

    These issue types do not identify newly discovered CVEs.


    Note:  A different set of issue types, High-, Medium, and Low-severity CVE patching analyzed provides statistics on CVEs detected in a network, the percentage that were resolved in the past 180 days, and how quickly you apply patches. It does not list CVEs.

    Patching Cadence 

    (Scoring weight: Low)

    7.0-10

    Medium-Severity CVEs Patching Cadence

    (In API: patching_cadence_medium)

    4.0-6.9

    Low-Severity CVEs Patching Cadence

    (In API: patching_cadence_low)

    0.0-3.9

     

    Note: As of the August, 2022 scoring update, the following issue types are being removed from Scorecards:
    • Info-Severity Vulnerability in Last Observation - CVEs listed in this issue type are being transferred to Low- , Medium-, or High-Severity Vulnerability in Last Observation, depending on their CVSS score.
    • Info-Severity CVEs Patching Cadence - CVEs listed in this issue type are being transferred to Low- , Medium-, or High-Severity CVEs Patching Cadence, depending on their CVSS score.

    View the Findings table for these issue types. The table provides a row for each discovered instance of each CVE to help you with investigation.

    cve-issues-multiple-cve-findings.png

    Tip: The Findings table and .csv export table can list only 500 CSVs. To see all discovered CSVs, if they exceed 500, call the appropriate API endpoint. See the API documentation link for any issue type. 

    How we find and flag CVEs

    We find and identify exposed services running on 1300 ports in our recurring scans of the entire internet. These scans do not find services running behind firewalls. We read information about each service’s version through the banner, headers, or some other application response that is publicly accessible. We correlate the version with published vulnerability data to determine if the service and version are vulnerable.

    We also incorporate some CVE information from third-party sources.

    Address CVE-related issue types

    Consider prioritizing CVEs according to issue type severity, so that you can address the highest-risk vulnerabilities first. 

    Click a CVE in the Findings tables to view a detailed entry about it in the National Vulnerability Database (NVD). Use the links to References section to find recent industry advisories, remediation solutions, possible compensating controls, and other resources.

    cve-issue-types-nvd.png

    Also, keep monitoring the patching update feeds for products you use in your site, and apply updates as soon as they are available. 

    Tip: For additional assistance with CVE remediation, learn about SecurityScorecard’s Professional Services offerings.

    After remediating a finding, submit it to the SecurityScorecard Support team for review.

    Related articles