Recently we saw that there were some questions on Twitter about the HTTP TRACE vulnerability check in Nexpose, specifically around the CVSS score. Thank you @digininja, @tautology0, and @raesene for raising this issue - we love to hear from our users and appreciate honest feedback on our solutions. Questions like these cause us to challenge our own assumptions and reasoning, which is always a healthy process.
Generally speaking, our approach to creating CVSS scores for vulnerabilities is that we err on the side of the higher score so we don't downplay anything that could pose a risk to you and your organization. In many cases this is straightforward; the score is what it is. In the case where there are multiple related vulnerabilities, the CVSS scores are consolidated and the highest score is presented as the CVSS in Nexpose. Again, that's so that the worst case is considered and you know the potential for the risk.
In the specific case of HTTP TRACE, the related vulnerabilities range from 4.3 to 5.8:
CVE-2004-2320 – 5.8
CVE-2004-2763 – 5.8
CVE-2005-3398 – 4.3
CVE-2006-4683 – 5.0
CVE-2007-3008 – 4.3
CVE-2008-7253 – 4.3
CVE-2009-2823 – 4.3
CVE-2010-0386 – 4.3
So we took the highest score of 5.8 as the CVSS for Nexpose. We're aware that other vendors may have scored this and related or similar vulnerabilities differently. NVD classifies this family of vulnerabilities as Medium; Nexpose classifies them the same way. The range for a medium scoring from NVD is CVSS 4 to 7, and the range for severe scoring from Nexpose is the same.
HTTP TRACE is mostly useful for Man-in-the-Browser attack types. Leaving the HTTP TRACE method enabled can expose your website to client-side attacks. Though this vulnerability is about 11 years old and browser security has improved since it was discovered — thereby mitigating some of HTTP TRACE's inherent risk — if this vulnerability is still present in your network, we want to make absolutely sure you know that it still poses a risk.
If you have more questions on our scoring methodology, please leave a comment below. Thanks!
More information on HTTP TRACE
- This PDF (though 11 years old) provides additional security context: http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
- The W3C also has more information: HTTP/1.1: Method Definitions