Skip to main content

Severity Levels

In the scope of the new Critical severity that is going to be added to the SAST queries, a group of definitions were written to help us assess the severity levels of Checkmarx SAST queries.

To clarify in advance, SAST is a static analysis tool that identifies weaknesses in code that may cause vulnerabilities. Weaknesses are vulnerability categories where a vulnerability would fit. It is vital to note however that while we put significant effort into qualifying weaknesses and their respective severity, specific vulnerabilities may, in practice, have lower severity (a low-privilege SQL injection allowing attackers to read the cafeteria menu) or a higher severity (a path traversal vulnerability that allows retrieving an admin passwords file) than that noted in this page.

For a weakness in code that indicates it is vulnerable to graduate to a known vulnerability, manual testing must be conducted to prove exploitability and measure all the required dynamic metrics that can prove greater severity levels. As so, queries of Critical severity in the SAST product need to be clearly differentiated from the other levels and cover cases of high risk that compromise the full extent of the CIA triad.

Severity

Definition

Examples

Critical

Critical vulnerabilities are the most severe and demand immediate attention due to their high risk to the security and functionality of the software. The exploitation of these vulnerabilities can result in devastating consequences, including complete system compromise, unauthorized access, or significant data breaches. They have the potential to completely compromise the confidentiality, integrity, and availability of the system, making them a top priority for remediation. These vulnerabilities often require urgent mitigation measures to prevent severe impacts on the software and its users. Failure to address them promptly can lead to severe security breaches and substantial damage to the organization and its stakeholders.

Remote code execution, command injection, SQL injection.

High

High vulnerabilities pose a significant risk and require prompt attention due to their potential to cause serious security issues if exploited. Although they may not reach the same level of impact as critical vulnerabilities, high-severity issues enable malicious attackers to gain unauthorized access to application resources and sensitive data, thereby facilitating the theft of session information or valuable data from both the application and server. The key distinction between high and critical vulnerabilities lies in the potential consequences and severity of their impact, whereas a high-severity vulnerability does not cover the execution of code or a command on the application or server. On top of this, significant compromise and exploitability require factors beyond an attacker’s control such as an active privileged user being targeted and successfully exploited.Addressing high vulnerabilities on time is crucial to mitigate potential risks and protect the software.

Cross-site scripting (XSS), XML external entity (XXE) injection, and cleartext submission of sensitive information.

Medium

Medium vulnerabilities highlight potential security weaknesses such as misconfigurations that may result in limited unauthorized access or data exposure, which can have an adverse effect on the confidentiality, integrity, or availability of the system, although to a lesser extent. While the impact of these vulnerabilities is typically less severe compared to critical or high vulnerabilities, they still require attention to maintain the overall security posture of the software.

Cross-site request forgery (CSRF), open redirections, ReDoS, and information exposure of some kind (privacy violation, PCI exposure).

Low

Low vulnerabilities are generally considered less pressing and have a minimal impact on the immediate security of the software. These vulnerabilities often involve specific coding weaknesses or potential areas for improvement rather than posing an immediate threat to the CIA triad.While low vulnerabilities may not directly compromise in a significant way the confidentiality, integrity, or availability of the system, addressing them is still important to maintain a robust security posture and minimize potential risks. By addressing low vulnerabilities, you can prevent their escalation into more significant security issues or potential routes for exploitation.

Missing input validation (log forging), internal information exposure (logs, error messages), and misconfigurations.