Here is an explanation of the different values and information for vulnerabilities on the Vulnerability Tests page in Security Center.
The Vulnerability Tests contain vulnerabilities for network and web application scanning.
Title
The name/short description of the vulnerability.
Example: SQL Injection.
Severity level
The severity level indicates how serious the vulnerability is. The severity level is a translation from the CVSS Score (see "CVSS Base"). Each level has a related color to quickly and easily recognize the severity of the vulnerability.
The severity levels and colors are as follows:
- Info
A vulnerability is not likely to mean that you are exposed to a potential threat. - Low
Low level of severity. It does not usually mean you are exposed to a potential threat. - Medium
Medium level of severity. This can mean that you are exposed to a potential threat. - High
High level of severity. In most cases, you are exposed to a potential threat. - Critical
Critical level of severity. You are exposed to a threat, only with some exceptions.
Discovery method
The Discover method describes what method that was used to discover the vulnerability.
- Remote Only
Detected only using remote, unauthenticated scanning. - Authenticated Only
Detected only using authenticated scanning. - Remote or Authenticated
Detected using remote, unauthenticated scanning, or authenticated scanning.
Published
The time for when the vulnerability was published.
Service modified
When the vulnerability was modified.
HID
The HID (Holm Security ID) is a unique identifier within the Security Center for all vulnerabilities.
Example: HID-2-1-339509
Category
The category of vulnerability.
Example: Windows
CVE ID
A unique ID for the vulnerability commonly used by different software providers and vendors. Read more about CVE here (external website):
https://en.wikipedia.org/wiki/CVSS
Example: CVE-2014-0224
Vendor reference
Information from the software provider or similar.
Example (external website):
http://openssl.org/
Patch available
If there's a patch available.
CVSS Base
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability unique to a user's environment. The Base metrics produce a score ranging from 0.0 to 10.0, which can be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score.
The CVSS Score is translated into a severity level (see headline Severity level) to simplify the vulnerability levels.
Translation from CVSS Score to Holm Security severity levels:
- Info: 0,0
- Low: 0,1 – 3,9
- Medium: 4,0 – 6,9
- High: 7,0 – 8,9
- Critical: 9,0 – 10,0
CVSS Access Vector
The access vector shows how a vulnerability may be exploited.
- Local
The attacker must have physical access to the vulnerable system (e.g., firewire attacks) or a local account, e.g., "a privilege escalation attack." - Adjacent Network
The attacker must have access to the broadcast or collision domain of the vulnerable system, e.g., "ARP spoofing, Bluetooth attacks." - Network
The vulnerable interface works at layer three or above of the OSI Network stack. These types of vulnerabilities are often described as remotely exploitable, e.g., "a remote buffer overflow in a network service."
Software
The software is concerned with the vulnerability.
Example: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m and 1.0.1 before 1.0.1h
Impact
The impact the vulnerability has.
Example: Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.
Solution
Solution for the vulnerability.
Example: Updates are available.
Detection
How the Holm Security script operates to find the vulnerability.
Insight
Extended information on a more technical level, sometimes covering CVE-specific cases for vulnerabilities titled as multiple.