How to rate application vulnerability?

I have a system with Apache HTTP Server 2.4.55 with high vulnerabilities when I click on the service cpe:/a:apache:http_server:2.4.55.

Under report - applications it is listed as severity “N/A”, but the applications has

The application severity is not taken into account when evaluating the host. Is this a bug in the community edition?

How can interpret the application results ?
There no apache vulnerabilities found.

Does that mean the application has vulnerabilities, but in this case the system is not vulnerable?

I guess this is the same bug you linked to:

Thanks, I had already suspected that, but is only the severity missing under “Hosts”?
My question relates to how I should evaluate this from a safety perspective. Data is now also missing from the report?

In my case, there are no results in the report that show the application to be vulnerable.

For future reference, here is how you can address this issue from your end.

  • Search the CVEs page of Greenbone Community Edition. You will find both of these CVEs are found there.
  • Search the NVTs page of Greenbone Community Edition. Many NVTs reference these CVEs including at least one NVT in each of the major Linux distribution NVT families.

Now you can be confident that there are NVTs to test for this CVE. If you want to see the code of the NVT to assess how it works, you will need to look at the .nasl file which is typically located in the /usr/lib/openvas/plugins directory. This is very worthwhile because you seem to believe that this vulnerability affects Apache HTTP Server 2.4.55 which is not actually correct. This vulnerability impacts the mod_proxy module of Apache. Meaning if you do not have mod_proxy enabled, (which most instances of Apache will not) then you are not vulnerable.

It is certainly worthwhile finding the .nasl file to see how this service detection is technically executed.

1 Like