indicates
that the host is Compliant. No vulnerabilities, which must be fixed to
pass PCI compliance, were found on the host.The Detailed Results section shows detailed information about all detected vulnerabilities and potential vulnerabilities for each scanned host.
Hosts are listed by IP address with the DNS and NetBIOS hostnames shown in parentheses, when available. The operating system detected on the host is shown on the right. Vulnerabilities Total shows the total number of vulnerabilities detected on the host, including confirmed vulnerabilities, potential vulnerabilities and information gathered that are shown in the vulnerability details section.
Compliance Status (appears in scan results reports only)
indicates
that the host is Compliant. No vulnerabilities, which must be fixed to
pass PCI compliance, were found on the host.
indicates
that the host is Not Compliant. One or more vulnerabilities, which must
be fixed to pass PCI compliance, were found on the host.
The PCI compliance status for each vulnerability will be or .
Tell me about the PCI compliance status. The vulnerabilities with the
status
must be remediated to pass the PCI compliance requirements. The vulnerabilities
that do not show a show a PCI status are vulnerabilities that the service
found on the hosts. Although these vulnerabilities are not in scope for
PCI, we recommend that you remediate the vulnerabilities in severity order.
Tell me about the PCI severity. The PCI severity level appears as: HIGH, MEDIUM or LOW. See PCI Pass/Fail Criteria.
Tell me about the reasons. The service lists reasons for passing or failing PCI compliance to help you understand the PCI compliance status. Note the service is compliant with the requirements in the PCI ASV Program Guide.
For each host, a list of the detected vulnerabilities (red), potential vulnerabilities (yellow) and information gathered (blue) appears with detailed threat, impact and solution descriptions.
A service-provided severity level (1-5) is assigned to each vulnerability and appears before the vulnerability title. Severity levels are provided for remediation purposes only and are not taken into consideration when calculating the PCI pass/fail compliance status. See the Report Legend in the Appendices section of the report to learn more about these severity levels.
Descriptions of vulnerability information follow.
CVSS Base Score. CVSS stands for The Common Vulnerability Scoring System. The CVSS base score represents the fundamental, unchanging qualities of the vulnerability. The PCI compliance service uses the CVSS version 3.1 base score provided by NIST to determine whether a vulnerability severity must be fixed to pass PCI compliance requirements. When a CVSS version 3.1 score is not available from NIST, the service provides a CVSS 3.0 score and uses that score to determine whether the vulnerability must be fixed. When CVSS version 3.1 and 3.0 scores are not available, then CVSS version 2.0 base score is used. When a CVSS version 2.0 score is not available from NIST, the service provides a CVSS 2.0 score.
CVSS Temporal Score. The CVSS temporal score represents time dependent qualities of the vulnerability.
Severity. The highest severity level reported based on the vulnerabilities and potential vulnerabilities detected on the host. See the Report Legend in the Appendices section of the report to learn more about service-provided severity levels (1-5).
QID. The ID number assigned to the vulnerability.
Category. The category the vulnerability is assigned to.
CVE ID. If available, this is a link to the CVE name(s) associated with this vulnerability check. CVE (Common Vulnerabilities and Exposures) is a list of common names for publicly known vulnerabilities and exposures. Through open and collaborative discussions, the CVE Editorial board determines which vulnerabilities or exposures are included in CVE. If the CVE name starts with CAN (candidate), then it is under consideration for entry into CVE.
Vendor Reference. A reference number released by the vendor in regards to the vulnerability, such as a Microsoft Security Bulletin like MS03-046. This may be a link directly to the vendor's web site.
Bugtraq ID. The Bugtraq ID number assigned to the vulnerability by SecurityFocus, a vendor-neutral web site that provides security information to members of the security community. Select the Bugtraq ID to link directly to the SecurityFocus web site.
Last Update. The date this vulnerability check was last updated in the KnowledgeBase.
Threat. A description of the vulnerability threat.
Impact. A description of the possible consequences that may occur if the vulnerability is successfully exploited.
Solution. A suggested solution to fix the problem. This may include a link to a patch, update, the vendor's Web site, or a workaround.
Result. Specific scan test results for the vulnerability on the host.