I just wanted to get your input in how you manually validate vulnerabilities from a vulnerability scan or a vulnerability release from a vendor. Say you received a report with a high vulnerability, the vulnerability scanner used a version check of the header. If there are no public exploits for this vulnerability, how would you check it if you do not have access to the server internally? An example would be CVE-2019-13917, I cant seem to find a public exploit to throw at the server to validate the vulnerability, and my last resource would be to send it to the IT team responsible. Is this the right approach? – if there are no public exploits, the only other way is to create yourself an exploit by reverse engineering the patch from the vendor…
I have been given a report from Shodan Vulnerability scanner, which seems to do a version check and need to validate if the vulnerabilities are actually an issue.
I know that version checking is prone to a large amount of false positives, is there anyway around this?