Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CWE-PoC list file #376

Merged
merged 3 commits into from
Nov 9, 2023
Merged

Add CWE-PoC list file #376

merged 3 commits into from
Nov 9, 2023

Conversation

koscinv
Copy link
Contributor

@koscinv koscinv commented Nov 7, 2023

This CSV file contains a list of CWEs which may result in a PoC value for "state of exploitation" because "the vulnerability has a well-known method of exploitation." It contains links to some exploit tools for those CWEs that indicate a potential PoC. It also contains CWEs which could not be PoCs as well as reasoning behind them. All CWEs in this list have been found to map to CVEs.

Potentially closes #158

This CSV file contains a list of CWEs which may result in a PoC value for "state of exploitation" because "the vulnerability has a well-known method of exploitation." It contains links to potential exploit tools. It also contains CWEs which could not be PoCs as well as some reasoning behind this.
Copy link
Collaborator

@j--- j--- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me.

I expect there are places where folks could quibble with whether a tool is "easy enough" to use to exploit any instance of one of the CWEs listed. But I think this is a considered and well-formed place for us to have detailed conversations about that question if anyone would like to raise those questions in the details. In some sense, if anyone has questions about how to map data for State of Exploitation at that level of detail, I'll be quite pleased.

Thanks very much for putting this together!

Copy link
Contributor

@ahouseholder ahouseholder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great addition, thanks for the help!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved this into a folder just for housekeeping. No changes to the csv from @koscinv

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the interest of avoiding a follow-on issue to update the docs, I went ahead and added the CSV to the exploitation page and did a light revision to the page to make it fit in.

@ahouseholder ahouseholder merged commit 5f22632 into CERTCC:main Nov 9, 2023
1 check passed
@ahouseholder ahouseholder added documentation Improvements or additions to documentation enhancement New feature or request labels Nov 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

List of CWE for "state of exploitation" value PoC "the vulnerability has a well-known method of exploitation."
3 participants