Supported CVEs for reachability analysis | Fluid Attacks Help

Supported CVEs for reachability analysis

Supported

Info
Fluid Attacks informs of reachability status at the following levels:
  1. Latent: (a) A vulnerable dependency is declared in the package manager, but (b) no file imports the dependency.
  2. Potential: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, but (c) the vulnerable function in the dependency is not called from the code.
  3. Reachable: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, and (c)  the vulnerable function in the dependency is called from the code.
Below are two technical examples and an analogy for better comprehension:
Example 1 in JS (Node.js)
Example 2 in Python
Analogy
Example 1 in JS (Node.js)
File package.json
{
"name": "demo-app",
"version": "1.0.0",
"dependencies": {
"vulnLib": "1.2.3"
}
}

File app.js
// LATENT: Library declared in package.json but not imported nor used

console.log("Hello world");

// POTENTIAL: Library imported but vulnerable function not used


import vulnLib from 'vulnLib',
console.log("Library loaded but dangerous function not used")

// REACHABLE: Library imported and vulnerable function is used

import vulnLib from 'vulnLib',
vulnLib.dangerousFunction(); // <- Risk activated
// REACHABLE: Library imported and vulnerable function is used// REACHABLE: Library imported and vulnerable function is used
Example 2 in Python
File requirements.txt
vuln-lib==1.2.3

File app.py
# LATENT: Library declared in requirements.txt but not imported nor used
print("Hello world")

# POTENTIAL: Library imported but vulnerable function not used

import vuln_lib
print("Library loaded but dangerous function not used")

# REACHABLE: Library imported and vulnerable function is used
import vuln_lib
vuln_lib.dangerousFunction() # <- Risk activated
// REACHABLE: Library imported and vulnerable function is used// REACHABLE: Library imported and vulnerable function is used
Analogy
  1. Latent
  1. The book is in the library (declared), but
  2. you do not read any chapter (not imported).
  1. Potential
  1. The book is in the library (declared),
  2. you start reading any chapter (imported), but
  3. you do not read the faulty chapter.
  1. Reachable
  1. The book is in the library (declared),
  2. you start reading any chapter (imported), and
  3. you read the faulty chapter and use it as a reference for your MBA thesis.

Latent and Potential

At the Latent and Potential levels, Fluid Attacks supports all CVEs (or other advisories) issued about vulnerable third-party dependencies or libraries in reliable vulnerability databases and written in all supported languages and package managers. See the list of sources in Vulnerability signature update

Reachable

Currently, Fluid Attacks has methods to detect when software effectively calls known vulnerable functions reported in the CVE entries/advisories shown in the following table, where they are classified by the programming language in which the functions are written:

Language
CVE IDs
Methods
C#
2
Dart
1
Go
1
Java
4
JavaScript
41
Kotlin
1
PHP
1
Python
5
Ruby
1
Scala
1
Swift
1
TypeScript
41

Total methods
100

Unsupported

Latent and Potential

At the Latent and Potential levels, Fluid Attacks' testing does not support CVEs/advisories outside its supported databases and supported languages and packages.

Reachable

At the Reachable level, Fluid Attacks' analysis does not support any CVE/advisory corresponding to vulnerabilities in software libraries not listed in the above table.
Free trial messageFree trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.