312-50V9 · Question #59
A newly discovered flaw in a software application would be considered which kind of security vulnerability?
The correct answer is C. 0-day vulnerability. A zero-day vulnerability is a newly discovered flaw for which no vendor patch or fix yet exists, giving defenders zero days to respond.
Question
A newly discovered flaw in a software application would be considered which kind of security vulnerability?
Options
- AInput validation flaw
- BHTTP header injection vulnerability
- C0-day vulnerability
- DTime-to-check to time-to-use flaw
How the community answered
(42 responses)- A2% (1)
- B2% (1)
- C86% (36)
- D10% (4)
Why each option
A zero-day vulnerability is a newly discovered flaw for which no vendor patch or fix yet exists, giving defenders zero days to respond.
Input validation flaws describe vulnerabilities caused by insufficient sanitization of user-supplied data, which is a class of vulnerability type, not a descriptor for when a flaw was discovered.
HTTP header injection is a specific technique where unvalidated input is inserted into HTTP response headers, not a general category for newly discovered vulnerabilities.
The term 'zero-day' (0-day) describes a vulnerability that has just been discovered, meaning the vendor has had zero days to develop and release a patch. Because no fix is available, systems remain exposed from the moment of discovery until a patch is issued. This is precisely the scenario described - a newly discovered flaw with no existing remediation.
A time-to-check to time-to-use (TOCTOU) flaw is a race condition vulnerability where resource state changes between a security check and its use, which is unrelated to the recency of discovery.
Concept tested: Definition and classification of zero-day vulnerabilities
Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Topics
Community Discussion
No community discussion yet for this question.