Skip to content
/ cve_pull Public

Tool to pull information from the National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVEs)

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ajread4/cve_pull

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
bin
bin
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
cve_pull.py
cve_pull.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

cve_pull

cve_pull is a tool to pull Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD) without the use of the NVD API

Install

git clone https://github.com/ajread4/cve_pull.git
cd cve_pull
pip3 install -r requirements.txt

Usage

$ python3 cve_pull.py -h
usage: cve_pull.py [-h] [-c  cve] [-f  cve_file] [-d]

cve_pull - a tool to pull information regarding a CVE or multiple CVEs from the National Vulnerability Database (NVD).

options:
  -h, --help            show this help message and exit
  -c  cve, --cve cve    specify the CVE #
  -f  cve_file, --file cve_file
                        specify a CSV with multiple CVE #s in a single column
  -d, --description     return the description of the CVE

Example

  1. Return the CVSS for CVE-2020-0764.
$ python3 cve_pull.py -c CVE-2020-0764
CVSS2 Score: 4.6 MEDIUM
CVSS3 Score: 7.8 HIGH
  1. Return the CVSS and description of CVE-2021-45046.
$ python3 cve_pull.py -c CVE-2021-45046 -d
CVSS2 Score: 5.1 MEDIUM
CVSS3 Score: 9.0 CRITICAL
Description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
  1. Return the CVSS for each CVE within an input file.
$ python3 cve_pull.py -f /home/ajread/code/KEV_CVEs.csv
CVE: CVE-2004-2761
5.0 MEDIUM
No CVSSv3 Score
CVE: CVE-2012-1823
7.5 HIGH
No CVSSv3 Score
CVE: CVE-2013-0640
9.3 HIGH
No CVSSv3 Score
CVE: CVE-2013-0641
9.3 HIGH
No CVSSv3 Score
CVE: CVE-2013-1609
6.8 MEDIUM
No CVSSv3 Scores
  1. Return the Published Date and scores for a CVE.
$ python3 cve_pull.py -c CVE-2019-0708 -t
CVSS2 Score: 10.0 HIGH
CVSS3 Score: 9.8 CRITICAL
Published Date: 05/16/2019

Author

All code was written by me, AJ Read, with inspiration from MachineThing's cve_lookup.

About

Tool to pull information from the National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVEs)

Topics

vulnerability nvd vulnerability-detection cve-search cve-databases common-vulnerability-exposure

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages