Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

\"attackers las arbitrar National Vulnerability Database (NVD) NVD Part I. Commo

ID: 3752276 • Letter: #

Question

"attackers las arbitrar National Vulnerability Database (NVD) NVD Part I. Common Platform Enumeration (CPE) Visit NVD (https:/nvd.nist.gov/vuln, Under Products, choose CPE search. se search to find two software applications for which you are familiar. Try to find the latest version. List the CPE ID for 2 products. ie. Version 2.2: cpe:/a:dotpdn:paint.net:5.10 Part II. Vulnerability Categories and Common Weakness Enumeration's (CWE Visit NVD, Under Vulnerabilities, choose Categories. Choose 5 Categories from the table at the bottom of the page review. For each category list the CWE ID, Description, and a Possible Mitigation (if any are listed). See https:/invd.nist.gov/vuln/categories CWE: CWE-287: Improper Authentication Description: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. Possible Mitigation: Use an authentication framework or library such as the OWASP ESAPI Authentication feature. Alternate site https://www.cvedetails.com/cwe-definitions.php Part III. Current Vulnerabilities Visit CVE Details https://www.cvedetails.com/product-list.php and find three current products (applications, operating systems, and/or hardware) that have vulnerabilities. For each vulnerability capture a screen shot and/or list the following information. CVE ID: CVE-218-4233 Product name: iOS products Description: CVSS Score: 6.8 Any related CWE's: CWE 119

Explanation / Answer

Part I:

Two softwares:

Part II:

Ist Category:

CWE: CWE-774 Allocation of File Descriptors or Handlers Without Limits or Throttling

Description: The software allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.

Possible Mitigation: Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.

IInd Category:

CWE: CWE-88 Argument Injection or Modification

Description: The software does not sufficiently delimit the arguments being passed to a component in another control sphere, allowing alternate arguments to be provided, leading to potentially security-relevant changes.

Possible Mitigation: Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.

IIIrd Category:

CWE: CWE-405 Asymmetric Resource Consumption (Amplification)

Description: Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.

Possible Mitigation: An application must make resources available to a client commensurate with the client's access level.

IVth Category:

CWE: CWE-119 Buffer Errors

Description: The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Possible Mitigation: Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Vth Category:

CWE: CWE-94 Code Injection

Description: The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Possible Mitigation: Refactor your program so that you do not have to dynamically generate code.

Related Questions

\"You accidentally bought the wrong chip and got an inverting three stale buffer
Question #1973103
\"You accidentally bought the wrong chip and got an inverting three stale buffer
Question #2315945
\"You are a graduate student in Gregor Mendel’s lab researching the inheritance
Question #260069
\"You are borrowing $2,600 now, which you will pay back at the end of 15 years.
Question #2820903
\"You are considering an apartment building project that requires an investment
Question #2512780
\"You are considering two types of automobiles. Model A costs $19,000 and model
Question #2791596
\"You are interested in determining whether there is a relationship between the
Question #2907809
\"You are interested in determining whether there is a relationship between the
Question #2907813

Navigate

Previous
\"aperson randomly picks a month, what is the probabilty t it wil be one or the
Next
\"balance sheet on tie website. Make suie yuu ait u statement\", annual (not qua

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.