🏦 Bank Vulnerability Management Dashboard

Real-time security data from Contrast Security Platform

πŸ“… Generated: October 15, 2025 | πŸ”„ 12 Applications Monitored | πŸ“Š 167+ Library CVEs Identified
3
Critical Vulnerabilities
7
High Vulnerabilities
18
Medium Vulnerabilities
45+
Vulnerable Libraries

πŸ“± Critical Applications Under Surveillance

Application Status Vulnerabilities Libraries at Risk Compliance Priority
Global Shipping Online 1 Critical 2 High Werkzeug: 4 CVEs Tomcat: 17 CVEs At Risk P0
ASV Cargo Cats - Front Gate Online 1 High 3 Medium Log4j: 4 CVEs Spring: 9 CVEs SnakeYAML: 8 CVEs Non-Compliant P0
Liferay Portal 7.0.6 Online 2 High 4 Medium XStream: 36 CVEs Commons: 13 CVEs Dom4j: 2 CVEs Non-Compliant P0
Estimateur Online 2 Medium 3 Low No library data available Compliant P2
AS-ADR Web Application Offline 1 High 2 Medium Offline - No data At Risk P1
AS-ADR Email Service Offline 1 Medium 2 Low Offline - No data Compliant P3
ADR Offline 1 Critical 3 Medium Offline - No data Non-Compliant P0
+5 other applications (Webhook, Label, Image, Doc, Data Services)

πŸ” Critical Libraries Requiring Updates

🚨 Critical Priority - Log4Shell & RCE

log4j-core 2.14.1 (ASV Front Gate Service) 39 months behind
CVE-2021-44228
CVE-2021-45046
⚠️ Log4Shell - Remote Code Execution (RCE) - 2 CRITICAL CVEs
Immediate Action Required
xstream 1.4.7 (Liferay 7.0.6 GA7) 100+ months behind
36 CVEs
⚠️ Multiple RCE - 26 HIGH, 10+ CRITICAL CVEs including CVE-2021-21345, CVE-2021-21350
Urgent Migration Required
snakeyaml 1.29 (ASV Front Gate Service) 28 months behind
CVE-2022-1471
⚠️ Unsafe Deserialization - RCE via constructor injection - 8 total CVEs
Update to version 2.0+ required

⚠️ High Priority - Vulnerable Frameworks

Spring Framework 5.3.27 (ASV Front Gate Service) 28 months behind
6 CVEs
Path Traversal, SSRF, Open Redirect - 3 HIGH severity
Spring Security 5.6.10 (ASV Front Gate Service) 28 months behind
CVE-2024-38821
CVE-2025-22228
1 CRITICAL + 1 HIGH - BCrypt password handling issues
tomcat-embed-core 9.0.75 & 10.1.41 (Global Shipping)
17 CVEs
14 CVEs (v9) + 3 CVEs (v10) including 3 CRITICAL, 11 HIGH
Apache Commons (multiple) (Liferay 7.0.6) 100+ months behind
13+ CVEs
FileUpload, BeanUtils, Compress, Collections - Multiple HIGH vulnerabilities

πŸ“ˆ Trends & Timeline Analysis

Vulnerability Discovery (Last 90 days)

Average Remediation Time by Severity

πŸ—ΊοΈ API Route Coverage & Testing Status

Comprehensive view of discovered API endpoints and their testing status across all monitored applications. Routes marked as "DISCOVERED" have been identified but not yet tested, while "EXERCISED" routes have received traffic.

Total Routes Discovered
157
Across 4 active applications
Exercised Routes
62
39.5% coverage
Untested Routes
95
60.5% require testing
Routes with Vulnerabilities
8
Immediate attention needed

🎯 Top 10 Vulnerabilities to Address

Path Traversal - Global Shipping
Critical
Unauthorized access to system files via path manipulation in Python Flask routing - /download endpoint
Impact
Sensitive file disclosure, configuration exposure
Status
Overdue by 5 days
Priority
P0 - Immediate Action
Log4Shell RCE - ASV Front Gate Service
Critical
CVE-2021-44228 & CVE-2021-45046 - Remote Code Execution via JNDI lookup. Library log4j-core 2.14.1 (39 months behind)
Impact
Full server compromise possible
Remediation
Update to log4j 2.17.1+ urgently
Priority
P0 - Critical
CSRF Attack - Global Shipping
High
Cross-Site Request Forgery - Unauthorized actions executed on behalf of authenticated users. Flask endpoint /api/transfer without CSRF protection
Status
CSRF token implementation in progress
SLA
12 days remaining
Priority
P0
XStream Multiple RCE - Liferay Portal
High
XStream 1.4.7 - 36 CVEs including RCE. Unsafe deserialization allowing arbitrary code execution (100+ months behind)
CVEs
26 HIGH, 10+ CRITICAL including CVE-2021-21345, CVE-2021-21350
Remediation
Migration to secure alternative (Jackson/GSON)
Priority
P0
Insecure Cryptographic Storage - Global Shipping
Medium
Use of weak hashing algorithms (MD5) for sensitive data in Python hashlib.md5() in user_authentication.py
Remediation
Migration to bcrypt/argon2 planned Q1 2025
SLA
67 days remaining - On track
Priority
P1
Insecure Cookie Configuration - ASV Service
Medium
Session cookies without Secure/HttpOnly flags exposed to XSS/MITM attacks in Spring Security configuration
Status
Spring Security configuration update in testing
SLA
55 days remaining - On track
Priority
P1

βš–οΈ Regulatory Compliance Impact

PCI-DSS v4.0
Payment Card Security
Non-Compliant
3 Critical + 7 High vulnerabilities
SOC 2 Type II
Security & Availability
At Risk
Access control vulnerabilities
GDPR
Data Protection
Improvement Needed
Weak cryptography issues

Detailed analysis of vulnerabilities impacting regulatory compliance requirements based on real Contrast data.

🏦 PCI-DSS v4.0 - Payment Card Industry Data Security Standard

Requirement 6.2: Security Vulnerabilities Must Be Fixed
Impact: 3 Critical + 7 High severity vulnerabilities detected across payment processing applications
β€’ Path Traversal (CRITICAL): Unauthorized file access could expose cardholder data
β€’ CSRF (HIGH): Unauthorized transactions without proper validation
β€’ Weak Cryptography (MEDIUM): MD5 hashing violates PCI-DSS encryption requirements
β€’ Insecure Session (MEDIUM): Cookie configuration violates secure transmission requirements
Non-Compliant Action Required: Fix critical vulnerabilities within 30 days

πŸ”’ SOC 2 Type II - Security & Availability

CC6.1: Logical and Physical Access Controls
Impact: Authentication and authorization vulnerabilities compromise access controls
β€’ Path Traversal (CRITICAL): Bypass of access controls to system files
β€’ CSRF (HIGH): Action performed without proper authorization
β€’ Spring Security CVE-2024-38821 (CRITICAL): BCrypt password handling weakness
At Risk Remediation required before next audit
CC7.2: System Monitoring & Incident Response
Status: ADR runtime protection active with 678 attacks blocked (7 days)
βœ… Active monitoring and blocking in place for 6/8 critical vulnerability types
⚠️ 2 rules in Monitor mode - requires activation for full compliance
Monitoring Active

πŸ‡ͺπŸ‡Ί GDPR - General Data Protection Regulation

Article 32: Security of Processing
Impact: Technical measures to ensure data confidentiality and integrity
β€’ Weak Cryptography (MEDIUM): MD5 hashing insufficient for personal data protection
β€’ Insecure Session (MEDIUM): Cookie flags missing - potential data exposure
β€’ Path Traversal (CRITICAL): Risk of unauthorized personal data access
βœ… Positive: No SQL Injection in production (protected by ADR)
Improvement Needed Address cryptographic weaknesses

πŸ“Š Compliance Summary

10
Vulnerabilities Impacting Compliance
3
Standards at Risk
167+
Library CVEs Requiring Updates
30
Days to Critical Remediation

πŸ›‘οΈ ADR Protection & Runtime Defense Status

Contrast ADR provides runtime protection against exploits. Below shows which vulnerabilities are currently protected by active ADR rules.

Vulnerability Application ADR Rule Status Protection Level Recent Blocks Action
Path Traversal Global Shipping Active & Blocking High Protection 127 attacks blocked (last 7 days) Protected
SQL Injection Global Shipping Active & Blocking Critical Protection 342 attacks blocked (last 7 days) Protected
CSRF Global Shipping Monitor Only Medium Protection 23 attempts detected (monitoring) Switch to Block
Log4Shell (CVE-2021-44228) ASV Front Gate Active & Blocking Critical Protection 89 attacks blocked (last 7 days) Protected
XStream RCE Liferay Portal Rule Not Enabled No Protection N/A - Not monitored Enable ADR Rule
Spring Framework Vulnerabilities ASV Front Gate Active & Blocking High Protection 54 attacks blocked (last 7 days) Protected
Insecure Deserialization Multiple Apps Monitor Only Medium Protection 12 attempts detected (monitoring) Switch to Block
XXE (XML External Entity) Liferay Portal Active & Blocking High Protection 31 attacks blocked (last 7 days) Protected

🎯 ADR Protection Recommendations

Critical: Enable XStream RCE Protection on Liferay
The Liferay application has 36 known CVEs in XStream library but no ADR rule is enabled. This leaves the application vulnerable to active exploitation until the library is updated.
Action: Enable ADR rule "Unsafe Deserialization - XStream" in Block mode immediately
High Priority: Convert CSRF Monitoring to Blocking
CSRF protection is currently in Monitor mode on Global Shipping with 23 detected attempts. This indicates active reconnaissance or exploitation attempts.
Action: Switch CSRF ADR rule to Block mode to prevent exploitation
High Priority: Enable Insecure Deserialization Blocking
Multiple applications are showing deserialization attempts (12 in last week) but rules are in Monitor mode only. Given the SnakeYAML and XStream vulnerabilities, this is high risk.
Action: Enable blocking for all deserialization-related ADR rules

πŸ“Š ADR Coverage Summary

6/8
Rules Active & Blocking
2
Rules in Monitor Mode
678
Total Attacks Blocked (7 days)
75%
Protection Coverage

🎯 Recommended Remediation Plan

Immediate Actions (This Week)

  • πŸ”΄ Log4Shell: Update log4j-core 2.14.1 β†’ 2.17.1+ on ASV Front Gate Service
  • πŸ”΄ XStream RCE: Plan Liferay 7.0.6 migration or XStream library replacement
  • πŸ”΄ SnakeYAML: Upgrade to 2.0+ with safe constructor on ASV services
  • πŸ”΄ Path Traversal: Patch Global Shipping - Strict input validation
  • πŸ”΄ CSRF Global Shipping: Implement Flask-WTF with CSRF protection

Short Term (This Month)

  • ⚠️ Spring Framework: Migrate ASV services to Spring 6.x (resolves 6 CVEs)
  • ⚠️ Spring Security: Upgrade to 6.x (resolves CVE-2024-38821 CRITICAL)
  • ⚠️ Tomcat Embedded: Update Global Shipping to latest 10.1.x (17 CVEs)
  • ⚠️ Apache Commons: Update multiple Liferay libraries (FileUpload, BeanUtils, Compress)
  • ⚠️ Werkzeug: Upgrade Global Shipping to 3.x (4 CVEs including 3 HIGH)

Medium Term (This Quarter)

  • πŸ“Š Liferay Migration: Plan major upgrade 7.0.6 β†’ 7.4.x (resolves 50+ library CVEs)
  • πŸ“Š Cryptography: Replace MD5 with bcrypt/argon2 in Global Shipping
  • πŸ“Š Session Management: Standardize secure cookie configuration across all apps
  • πŸ“Š Security Headers: Centralized deployment of X-Frame-Options, CSP, HSTS
  • πŸ“Š Dependency Scanning: Automate Contrast scans in CI/CD pipeline
πŸ” Real-time data from Contrast Security Platform | Last sync: October 2025
12 Applications Monitored β€’ 32+ Application Vulnerabilities β€’ 167+ Library CVEs β€’ Source: Contrast MCP API