Hi All,
Till today I have seen many posts in which researchers posted that they got CVE by finding bug in `xyz` product etc. I always wonder "WOW" CVE but how shall I get one ? What is the process ? Will I able to find ? and many more questions in my head.
In this article I will list down how easy it is to get CVE ID for you and the confusion which I had and many security researchers out there have. I am writing this blog post just to guide those who still wonder what is CVE ID and how an security engineer can get it. It's just a method if you know how it works. Cheers you can get it.
Before we start, first let us understand the main difference between CVE and CWE
MITRE is a government-funded organization that puts out standards to be used by the information security community. Two of the most popular of these are CWE and CVE, and they’re often confused by security practitioners.
After all this I reported the same vulnerabilities to the product team of Open-AuditIT Professional
I just want to appreciate Open Audit team's efforts to take this issue seriously and fixing the bug promptly and Launching open-audit new version v2.2.0 .
Big kudos to Open-AuditIT Professional Team (y)
Till today I have seen many posts in which researchers posted that they got CVE by finding bug in `xyz` product etc. I always wonder "WOW" CVE but how shall I get one ? What is the process ? Will I able to find ? and many more questions in my head.
In this article I will list down how easy it is to get CVE ID for you and the confusion which I had and many security researchers out there have. I am writing this blog post just to guide those who still wonder what is CVE ID and how an security engineer can get it. It's just a method if you know how it works. Cheers you can get it.
Before we start, first let us understand the main difference between CVE and CWE
MITRE is a government-funded organization that puts out standards to be used by the information security community. Two of the most popular of these are CWE and CVE, and they’re often confused by security practitioners.
- CWE stands for Common Weakness Enumeration, and has to do with the vulnerability—not the instance within a product or system.
- CVE stands for Common Vulnerability Exposure, and has to do with the specific instance within a product or system—not the underlying flaw.
It is always easy to get the CVE.
But how ?
1x1 Find Any Product to Test
First you need to find any Product OR Open source tool. Say for example wamp server. (Install it in your local machine and try to find normal bugs which we find in Web application testing)
Once found check if that bug is reported in your tested product.
Hey, but how shall I search whether I found bug reported or not?
[A simple Google Search can give this answer]
Hey, but how shall I search whether I found bug reported or not?
[A simple Google Search can give this answer]
If it is not reported by anyone then "Hurry" you got the CVE.
But how actually I can claim ?
1x2 Submission Process to cve.mitre.org
3 - Fill the form
4 - Within 24 hours you will get a CVE ID allocated sent to you over email.
5 - After getting the CVE ID allocated, you will notice that the status of your CVE ID will be "Reserved". To make public you need to send vulnerability details via your blog post on the same email. i.e. just reply to that same mail, with your blog link for the exploit. It will be opened and made pubic.
6 - Now you can view your CVE in cve.mitre.org site
Next step is to submit the same in Exploit DB.
1x3 Exploit DB Submission format
Follow the instruction and send email to submit@offsec.com
The final outcome will look like this :-
Below is the CVE ID allocated to me
- CVE-2018-8903 - Stored XSS
- CVE-2018-8979 - Cross-Site Request Forgery (CSRF)
- CVE-2018-8937 - Open Redirect
- CVE-2018-8978 - Reflected XSS
After all this I reported the same vulnerabilities to the product team of Open-AuditIT Professional
I just want to appreciate Open Audit team's efforts to take this issue seriously and fixing the bug promptly and Launching open-audit new version v2.2.0 .
Big kudos to Open-AuditIT Professional Team (y)
Conclusion :-
I had always wondered about the process to get CVE ID but it's always bit confusing to me so just wrote this blog to help every security geek.
Special thanks to @Samrat Das for his guidance on the same.
Special thanks to @Samrat Das for his guidance on the same.
Information Security Domain is all about sharing your knowledge with everyone. Keeping that in mind, I hope now even you can find the CVE ID. Cheers (y)
EmoticonEmoticon