This document discusses about CVE (Common Vulnerabilities and Ex

Understanding and Analysing

Severity of Software Vulnerabilities
and Their Responsible Disclosure
CVE & CVSS

Roll No:
Table of Contents
TITLE: Understanding and Analysing Severity of Software Vulnerabilities and Their Responsible
Disclosure..............................................................................................................................................2
Abstract.............................................................................................................................................0
Introduction......................................................................................................................................1
Case-1: Understanding and Prioritizing Vulnerabilities....................................................................2
Utilization of National Vulnerability Database...............................................................................2
Stages of Vulnerability Management.............................................................................................2
CVSS 3.1 Scoring System and Its Components...............................................................................2
Vulnerability Analysis and Prioritization.......................................................................................3
CVE-2024-23895............................................................................................................................7
Recommended Mitigation Strategy for CVE-2024-40541 (SQL Injection Vulnerability)..............8
CASE-2: Responsible Disclosure of Vulnerabilities.........................................................................11
Introduction.................................................................................................................................11
Task 1: Steps and Timeline for Disclosing the Vulnerability.........................................................11
Task 2: Ethical Challenges in Vulnerability Disclosure..................................................................13
Conclusion.......................................................................................................................................16
References.......................................................................................................................................17
TITLE: Understanding and Analysing Severity of Software Vulnerabilities and Their Responsible
Disclosure
Abstract
Vulnerabilities in the software are the security weaknesses which can be exploited to compromise
the data, systems or their operations. Vulnerability disclosure is the process in which the issues are
identified, reported, and then mitigated responsibly. This report emphasizes on the importance of
utilizing vulnerability databases such as CVE (Common Vulnerabilities and Exposures) and CVSS
(Common Vulnerability Scoring System) to effectively assess, prioritize, and address these
vulnerabilities. Responsible disclosure of vulnerabilities enhances the entire security landscape and
ensures the observance of adopting best practices that promote collaboration among the concerned
stakeholders.
Introduction
Software vulnerabilities pose significant risks to CIA of systems. The CVE system allows a
standardized means of identifying and cataloging vulnerabilities. Every CVE entry is assigned a unique
identifier, which allows clear, consistent reference. CVEs are maintained by MITRE Corporation and is
assigned by authorized CVE Numbering Authorities (CNAs).

The CVSS (Common Vulnerability Scoring System) scale measure the severity of vulnerabilities using
various factors which includes attack vector, complexity, and their potential impact on CIA. CVSS
scores is used by the organizations to prioritize the identified vulnerabilities for their remediation.
But what makes CVE and CVSS important is its applicability to streamline the process of vulnerability
management with proper common understanding throughout the entire Cyber Security community.

Vulnerability Disclosure is the process of reporting the discovered vulnerabilities to relevant

stakeholders such as software vendors, so that remediation occurs in a timely manner. However, the
challenges, including ethical dilemmas, legal threats, and delays in patch deployment. This report
explores two case studies to demonstrate the significance of vulnerability analysis and responsible
disclosure of the vulnerabilities.
Case-1: Understanding and Prioritizing Vulnerabilities

Utilization of National Vulnerability Database

The NVD is a U.S. government repository, which contains standards for vulnerability management.
NVD uses Security Content Automation Protocol (SCAP) to represent this data. This data automates
of vulnerability management, security management and compliance. It also includes databases
related to security checklist references, security related flaws in software, product names and the
impact metrics. Therefore, it facilitates the process of vulnerability management and enhance the
overall security posture of any organization.

Stages of Vulnerability Management

There are five stages of vulnerability management which are as under:

Identification
This stage includes discovery of vulnerabilities. Tools like vulnerability scanners, penetration testing
tools, and other threat intelligence feeds are used in this process.

Assessment
Once the vulnerabilities are identified, then these vulnerabilities are analyzed to find out the
technical details like how these can be exploited and what will be their potential impact.

Prioritization
Vulnerabilities are ranked based on their severity (using CVSS 3.1 scores), impact, exploitability, and
the criticality of the affected assets.

Mitigation
This stage includes patching, configuration of vulnerable software or systems. It also includes
deployment of security controls, or implementation of compensatory measures.

Monitoring
Continuous monitoring ensures that mitigations applied to the software or systems are effective and
no new vulnerabilities are found in them.

CVSS 3.1 Scoring System and Its Components

The CVSS 3.1 scoring system evaluates the vulnerabilities through three metric groups:

1. Base Metrics: It represents the intrinsic qualities of the vulnerability and remain constant
over time. These include:

a. Attack Vector (AV): It refers to the proximity of the attacker to the vulnerable
system.
 b. Attack Complexity (AC):It describes the difficulty of exploiting the vulnerability.

c. Privileges Required (PR): It indicates the level of access that an attacker needs
to exploit the vulnerability.

d. User Interaction (UI): It denotes whether a user must take action for exploitation.

e. Confidentiality (C), Integrity (I), Availability (A): Assess the impact on CIA triad.

f. Scope (S): It evaluates whether exploitation will affect interconnected systems.

2. Temporal Metrics: It reflects changes in the severity of vulnerability over the time. For
example:

a. Availability of the exploitation code.

b. Confidence in the technical details of vulnerability.

3. Environmental Metrics: It is used to assess the impact of the vulnerability on a specific

environment. It determines the value of the asset and security requirements for it.

Vulnerability Analysis and Prioritization

CVE-2022-25394
 Initial Analysis: 3/14/2022 11:59:04 AM
 MITRE Modification: 5/14/2024 6:24:13 AM

Figure 1 Vulnerable Medical Store Management System

  CVE Modification: 11/21/2024 1:52:07 AM

 Severity Score (CVSS 3.1): 9.8 (Critical)

 Vulnerability Overview:Medical Store Management System v1.0 was discovered to contain

a SQL injection vulnerability via the cid parameter under customer-add.php.

 Metrics Breakdown:

o Attack Vector (AV): Network – This vulnerability can be exploited remotely over a
network without the requirement of physical access to the system.

o Attack Complexity (AC): Low – No advance skills or any specific conditions are are
required to exploit this vulnerability.

o Privileges Required (PR): None – The attackers do not require any prior
authentication or access privileges to exploit the vulnerability.

o User Interaction (UI): None – No legitimate user interaction is required for the attack
to succeed this exploit.

o Confidentiality Impact (C): High – The exploitation of this vulnerability can expose
sensitive data to unauthorized parties.

o Integrity Impact (I): High – In this vulnerability the attackers can modify critical data,
and can potentially affect the functionality of the system.

o Availability Impact (A): High – This vulnerability can disrupt or shut down the
affected system.

o Scope (S): Unchanged – This exploit can affect only the vulnerable system and does
not impact other systems.

Impact Summary:

This vulnerability exploits a critical buffer overflow in the XYZ application. It has severe implications
with regards to confidentiality, integrity, and availability of the system, hence, making it a high-
priority issue.
CVE-2024-40541

Figure 2 Vulnerability related to SQL Injection

 Published: 2024-07-12
 Updated: 2024-07-12

 Vulnerability Overview:A SQL injection vulnerability was discovered in my-springsecurity-

plus prior to version 2024.07.03. This vulnerability allows the exploitation through the
dataScope parameter present at the /api/dept/build endpoint, which can potentially
compromise sensitive data.
 Severity Score (CVSS 3.1): 9.8 (CRITICAL)
 Metrics Breakdown
o Attack Vector (AV): Network – This vulnerability can be exploited remotely, which
increases its potential impact.
o Attack Complexity (AC): Low – Minimal efforts or resources are required in the he
exploitation of this vulnerability.
o Privileges Required (PR): Low – In this vulnerability the attackers require limited
access in terms of a standard user account.
o User Interaction (UI): None – In this vulnerability no legitimate user action is
required.
o Confidentiality Impact (C): High – It will result in unauthorized access to sensitive
data.
o Integrity Impact (I): High – Unauthorized data modifications is possible.
 o Availability Impact (A): High – It will disrupt or degrade the performance of the
services.
o Scope (S): Unchanged – The exploit remains within the affected system.
 Impact Summary: This vulnerability poses high CIA risks due to the exposure of
sensitive information. This vulnerability doesn’t require user interaction which increases its

severity.

CVE-2024-40543

 Published: 2024-07-12

 Updated: 2024-07-12

Vulnerability Overview

A Server-Side Request Forgery (SSRF) vulnerability was discovered in PublicCMS v4.0.202302.e

through the /admin/ueditor?action=catchimage endpoint. This vulnerability allows attackers to
Figure 3 SSRF Vulnerability
make arbitrary requests to internal or external resources, potentially exposing sensitive information
or leading to further exploitation.

Severity Score (CVSS 3.1): 8.8 (HIGH)

Metrics Breakdown

 Attack Vector (AV): Network – The vulnerability can be exploited remotely, making it
accessible to attackers over a network.
  Attack Complexity (AC): Low – The exploitation requires minimal effort, with no specialized
conditions.

 Privileges Required (PR): Low – Attackers only require basic user privileges to exploit the
vulnerability.

 User Interaction (UI): None – No interaction from legitimate users is required to trigger the
exploit.

 Confidentiality Impact (C): High – Exploitation may result in the exposure of sensitive
information from internal systems.

 Integrity Impact (I): High – Attackers can manipulate or compromise data integrity.

 Availability Impact (A): High – Exploitation could disrupt or degrade services.

 Scope (S): Unchanged – The exploit remains confined to the affected system.

Impact Summary

This SSRF vulnerability presents

high risks across confidentiality, integrity,
and availability (CIA) dimensions. The ability
to exploit the flaw remotely, without
requiring user interaction, makes it a
significant security concern. Immediate
remediation and secure configuration are
recommended to mitigate its impact.

CVE-2024-23895

Figure 4 XSS Vulnerability

Vulnerability Overview: A Cross-Site Scripting (XSS) vulnerability has been identified in Cups
Easy (Purchase & Inventory), version 1.0. This vulnerability exists in the locationid parameter of the
/cupseasylive/locationcreate.php endpoint, in which the user-controlled inputs are encoded
insufficiently. This allows a remote attacker to send a specially crafted URL to an authenticated user
to steal the credentials of session cookie.

Severity Score (CVSS 3.1): 6.1 (MEDIUM)

Metrics Breakdown

 Attack Vector (AV): Network – The vulnerability can be exploited remotely over a network.

 Attack Complexity (AC): Low – No significant effort or complex prerequisites are required.

 Privileges Required (PR): None – Attackers do not require prior access to the system to
exploit this vulnerability.

 User Interaction (UI): Required – It depends on the interaction of victim with the malicious
URL.

 Confidentiality Impact (C): Low – The vulnerability can expose sensitive information, such as
session cookies, but not critical data.

 Integrity Impact (I): Low – It may allow minor modifications or manipulation of data.

 Availability Impact (A): None – This vulnerability does not impact the availability of the
system.

 Scope (S): Changed – It can impact other components beyond the initially affected system,
such as sessions of other users.

Impact Summary

This vulnerability is primarily affecting confidentiality and integrity. The exploitation requires user
interaction, which reduces its overall severity.

Recommended Mitigation Strategy for CVE-2024-40541 (SQL Injection Vulnerability)

Chosen Vulnerability: CVE-2024-40541 is selected due to its critical CVSS score (9.8) and its severe
impact on confidentiality, integrity, and availability (CIA) triad. The exploitation of this SQL Injection
vulnerability can lead to unauthorized access, data manipulation, and disruption of services; hence it
poses a significant threat to systems which are handling sensitive or critical information.

Mitigation Strategy:

1. Input Validation and Sanitization:

  Description: Strong input validation mechanisms must be implemented to reject inputs
containing SQL keywords or special characters unless explicitly allowed by administrator to
ensure that all user-supplied data is strictly validated against expected formats.

 Reasoning: This will mitigate the root cause of SQL injection by validating and sanitizing
input of the user.

2. Use of Prepared Statements and Parameterized Queries:

 Description: Dynamically constructed SQL queries must be replaced with parameterized

queries or stored procedures to ensures that user inputs are treated strictly as data and not
as executable commands.

 Reasoning: Prepared statements and precompile SQL queries prevent attackers from
injecting malicious SQL commands into user input fields.

3. Implement Database User Privileges:

 Description: Access to database must be restricted to privileges users, rest all the users
must operate with the minimum privileges required to perform their tasks.

 Reasoning: Least-privileged database accounts limit the scope of the damage by

restricting access to sensitive tables or operations even if the attack is successful.

4. Regular Security Patching and Updates:

 Description: It must be ensured that the application and database management systems
(DBMS) are regularly updated to the latest versions.

 Reasoning: Keeping the system up to date will mitigate the risk of exploitation.

5. Employ Web Application Firewalls (WAF):

 Description: WAF will monitor and filter the malicious web requests like SQL injection
attacks.

 Reasoning: These are capable of detecting and blocking malicious activity based on
attacks, even if the application is vulnerable.

Critical Analysis and Justification

 Impact on Confidentiality: The SQL injection vulnerability poses a high risk to

confidentiality because the attackers can extract sensitive data, such as personally
 identifiable information (PII) or credentials. Input validation and prepared statements can
address this by blocking malicious attempts to extract the data.

 Impact on Integrity: It can lead to unauthorized modification of data, such as altering

records or injecting malicious data into the database. Prepared statements and restricted
database privileges prevent unauthorized manipulation by separating user input from SQL
execution.

 Impact on Availability: This vulnerability can disrupt services or corrupt databases; thus, it
reduces the availability of the system. The continuity of the service will be ensured by
deploying WAFs and regularly patching the systems. This will ensure availability of services
mitigate the overloading or corruption the databases.

 Ease of Implementation:

o Moderate effort is required to implement Input validation and prepared in the

codebase of the application.

o Restriction of database privileges is relatively simple and ensures the protection of

the system.

o Deployment of a WAF provides immediate defense, however, it may require tuning

to avoid false positives.

Comparison to Other Vulnerabilities

Although CVE-2024-40543 (SSRF) and CVE-2024-23895 (XSS) are also significant, however, the
localized defenses can mitigate these attack vectors, e.g. strict access control for the SSRF or proper
output encoding for XSS. CVE-2024-40541, however, directly threatens the core database, making it
far more impactful on all aspects of CIA.
CASE-2: Responsible Disclosure of Vulnerabilities

Introduction
In the field of cybersecurity, it is very important to responsibly disclose the vulnerabilities. This
ensures that the flaws in the software or systems are identified, reported, and resolved to minimize
the risks to users and systems. This process includes ethical considerations, technical precision, and
clear communication with the stakeholders. This document provides a detailed framework for
vulnerability disclosure, focus on ethical principles, provides step-by-step processes, and challenges
which may arise during this process.

Task 1: Steps and Timeline for Disclosing the Vulnerability

This process necessitates a methodical approach to ensure confidentiality, collaboration, and
constructive remediation. Below is a detailed timeline and analysis of steps involved in disclosure of
critical vulnerability.

Step 1: Initial Discovery

 Action: It includes identification and verification of the vulnerability. This includes
documentation of evidences like screenshots, exploit proof-of-concept (PoC), and system
logs.

 Timeline: Day 0

 Description: In this phase, the primary aim is to confirm the existence of vulnerability and its
severity. Tools such as vulnerability scanners, manual penetration testing, and code analysis
are used to confirm these findings.

 Key Considerations:

o This stage confirms the reproducibility of the issue.

o It assigns a severity score to the vulnerability using frameworks such as CVSS.

o It ensures that the work is within the ethical and legal boundaries.

Step 2: Preparing for Disclosure

 Action: At this a comprehensive technical report is compiled which includes the details of
the vulnerability, its impact, and potential remedies related to the vulnerability.

 Timeline: Days 1–3

 Description: A well-structured report enhances the credibility of the discovery and facilitates
the vendor to understand the issue.
  Key Considerations:

o Include system configuration details where the vulnerability exists.

o Suggest possible mitigation measures or temporary fixes.

o Maintain professionalism in all communications.

Step 3: Confidential Disclosure to the Vendor

 Action: The vendor must be contacted through official channels (e.g., a security email or bug
bounty platform) to share the report with them under confidential terms.

 Timeline: Days 4–7

 Description: It is necessary to secretly share the information with the venders, using
encryption tools such as PGP to protect the confidentiality and integrity of sensitive data.

 Key Considerations:

o It must be ensured to get acknowledgment receipt from the vendor.

o A CVE ID must be reserved through organizations like MITRE to ensure the tracking
of the vulnerability.

o Responsible disclosure policy of vendors must be adhered if it exists.

Step 4: Initial Response of Venders

 Action: During the investigation and validation phase of the vulnerability it is advisable to
collaborate with the vendor.

 Timeline: Days 8–15

 Description: During this phase, the vendors typically acknowledge the issues and make an
initial remedial plan for the vulnerability. Therefore, this phase demands continuous
communication with the vendor to ensure that the vulnerability has been understood and its
findings are aligned as well.

 Key Considerations:

o Follow up if the vendor is unresponsive within the agreed timeline.

o Avoid disclosing the vulnerability publicly until the vendor has a resolution plan.
Step 5: Remediation Period
 Action: Work with the vendor to develop and test patches or mitigation strategies.

 Timeline: Days 16–60

 Description: The remedial timeline depends upon the complexity of the issue and its impact.
During this period, additional testing and clarifications should be carried out to assist the
vendor.

 Key Considerations:

o Be flexible with timelines if the vendor demonstrates good-faith efforts.

o Escalate unresolved issues to third-party organizations like CERT/CC if progress stalls.

Step 6: Public Disclosure

 Action: In the end the vulnerability details are published responsibly, and synchronized with
the vendor to release patches.

 Timeline: Day 61 (or earlier if exploitation in the wild occurs)

 Description: The final step involves sharing the vulnerability with the wider community,
ensuring that users and administrators can protect themselves.

 Key Considerations:

o Release only necessary technical details to prevent aiding attackers.

o Leverage platforms like NVD, CERT/CC, or industry blogs to amplify the advisory’s
reach.

Time

Figure 5 Vulnerability Disclosure timeline

Task 2: Ethical Challenges in Vulnerability Disclosure
There are multiple challenges which are faced during the disclosure of vulnerabilities. These
challenges often arise due to the conflict of interests among stakeholders, legal complexities, and
above all the urge to protect the users from being exploited.

1. Conflict of Interests

 Scenario: It may happen

that the vendors prioritize their reputation over addressing vulnerabilities promptly, and
delay or suppress disclosure of vulnerabilities.

 Ethical Dilemma: Should the vulnerability be disclosed publicly to protect users or continue
negotiating with the vendor?

 Resolution:

o Third-party mediators like CERT/CC must be engaged to facilitate the discussions.

o All interactions with the vendor must be documented to demonstrate good-faith to

the vendor.

2. Legal Risks
  Scenario: It might happen that the identified vulnerability involves unauthorized testing and
fall under laws Computer Fraud and Abuse Act (CFAA). It is possible that the vendors
threaten to take legal actions under these laws.

 Ethical Dilemma: Should the vulnerability have disclosed despite potential legal
consequences?

 Resolution:

o Legal experts must be consulted to ensure compliance with local and international
laws.

o Responsible testing methods must be used, which are permitted under bug bounty
programs.

3. Lack of Bounty Payment

 Scenario: It may happen that the vendors refuse to pay the promised rewards, and
undermine the trust between researchers and organizations.

 Ethical Dilemma: Should the issue be escalated publicly or accept the stance of vendors?

 Resolution:

o The issue must be formally resolved through bug bounty platforms.

o Retaliatory actions must be avoided which can compromise professional integrity.

4. Premature Exploitation Risks

 Scenario: The risk of exploitation is increased if the vulnerability is disclosed before its
remediation.

 Ethical Dilemma: Should the critical information be withheld even if it leaves users
vulnerable?

 Resolution:

o Public disclosure of vulnerability must be delayed until patches are available.

o Organizations like CERT/CC must be contacted to balance user protection with

disclosure timing.

Task 3: Addressing Vendor Resistance

If a vendor refuses to cooperate, pay the bounty, or threatens legal action, following strategies may
be employed:

1. Engage Mediators:

o Third-party entities like CERT/CC or Bugcrowd should be engaged to ensure

impartiality and resolve the disputes.

2. Document Communications:

o Detailed records of all interactions must be maintained to establish a clear timeline

and demonstrate a professional conduct.

3. Seek Legal Counsel:

o A cybersecurity lawyer should be contacted to address potential legal threats and

understand own rights.

4. Consider Public Disclosure:

o If the vendor is uncooperative and users are at risk, public disclosure through trusted
platforms must be contacted vis-à-vis responsible disclosure guidelines must be
adhered.

5. Leverage Community Support:

o Own experiences must be shared with the ethical hacking community to highlight
uncooperative vendors and take guidance for better disclosure policies.
Conclusion
To ensure the security and safeguard the software or systems is important to ensure effective
vulnerability management and responsible disclosure of vulnerabilities. In vulnerability management,
identification, prioritization, and remediation of risks promptly minimize the potential exploitation of
users. Similarly, responsible disclosure promotes collaboration among vendors to ethically address
vulnerabilities and maintain transparency to protect the safety of users. Organizations can mitigate
risks, balance interest of stakeholder, and prioritize security of systems by adhering to the best
practices, including frameworks like ISO 29147.
References
1. ISO/IEC 29147:2018 "Information technology — Security techniques — Vulnerability
disclosure" Available at: https://www.iso.org

2. NIST Special Publication 800-53 "Security and Privacy Controls for Information Systems and
Organizations" National Institute of Standards and Technology (NIST) Available at:
https://csrc.nist.gov/publications

3. Arora, A., Krishnan, R., Telang, R. (2004)."An Empirical Analysis of Vendor Response to
Disclosure Policy" Information Systems Research, Vol. 15, Issue 3, pp. 209–229. DOI:
https://doi.org/10.1287/isre.1040.0027

4. Hou, J., Hsu, C., Hu, C. (2018)."Vulnerability Management in Cybersecurity: A Framework for
Prioritization and Response" Computers & Security, Vol. 76, pp. 34–47. DOI:
https://doi.org/10.1016/j.cose.2018.03.006

5. MITRE ATT&CK Framework "A globally accessible knowledge base of adversary tactics and
techniques" Available at: https://attack.mitre.org

6. CVE Program (Common Vulnerabilities and Exposures) "Publicly disclosed cybersecurity

vulnerabilities" Available at: https://cve.mitre.org

7. FIRST Vulnerability Coordination Guidelines "Vulnerability Coordination and Disclosure Best

Practices" Available at: https://www.first.org

8. 2024 Verizon Data Breach Investigations Report Available at:

https://www.verizon.com/business/resources/reports/dbir/

9. Google Project Zero: Vulnerability Disclosure Policies "Improving the security of software
through timely disclosures" Available at: https://googleprojectzero.blogspot.com

10. Microsoft Security Response Center (MSRC) "Coordinated Vulnerability Disclosure (CVD)"
Available at: https://www.microsoft.com/msrc

11. Schneier, B. (2023). "The Ethics of Responsible Disclosure in Cybersecurity" Available at:
https://www.schneier.com

12. CERT Coordination Center (CERT/CC). "Vulnerability Disclosure Policy"Available at:

https://vuls.cert.org

13. Rapid7 (2022). "Understanding Vulnerability Management: Tools, Techniques, and Best
Practices" Available at: https://www.rapid7.com