The Inferred CVEs that may impact a specific service are listed on the Services details page in Cortex Xpanse. A service can have several software packages running on it, so it is common for there to be Inferred CVEs for different products impacting a single service.
Navigate to the Services tab in Cortex Xpanse.
From the list of services, select a service by clicking on the relevant row.
The Inferred CVEs column in the service list indicates how many Inferred CVEs are potentially affecting that service.
On the Service details page, scroll to the Inferred Potential CVEs section, and expand the list.
For each Inferred CVE, Cortex Xpanse provides the information listed in the following table to help you determine which of the Inferred CVEs should be addressed.
Field
Description
CVE ID
The CVE ID is linked to the CVE entry in the National Vulnerability Database
CVSS v3 Score
The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of software security vulnerabilities. CVSS scores range from 0 to 10, with 10 being the most severe. For the specific metrics used to calculate a CVSS v3 score, see https://www.first.org/cvss/.
N/A indicates that the CVE doesn’t have a CVSS v3 score.
CVSS v2 Score
The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of software security vulnerabilities. CVSS scores range from 0 to 10, with 10 being the most severe. For the specific metrics used to calculate a CVSS v2 score, see https://www.first.org/cvss/.
N/A indicates that the CVE doesn’t have a CVSS v2 score.
Confidence
Confidence in the CVE inference
High—An exact version match
Medium—An approximate version match
Low—A match based on product name only
For more information about Inferred CVE match confidence, see Inferred CVEs.
Inferred From
Lists the product name and version information that Cortex Xpanse used to make the CVE inference.
Product name and version number—Matched on both product name and version.
Product name only—Matched on product name only because the service doesn’t advertise version information.
Product name and Non-version-specific CVE—Matched on product name only because the National Vulnerability Database CVE definition does not include version numbers.