Skip to content

v0.19.0
Compare
Choose a tag to compare
@github-actions github-actions released this 19 Nov 08:09
· 401 commits to master since this release
v0.19.0
0c6a892
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

What's new in v0.19.0

TL;DR

  • Cybersecurity & Infrastructure Security Agency (CISA) has released a list of CVE-IDs whose attack codes are publicly available and are actually used in real-world attacks (called the Known Exploited Vulnerabilities (KEV) Catalog).
  • vulsio/go-kev now manages KEV Catalog information.
  • Vuls v0.19.0 works with vulsio/go-kev to display alerts for CVE-IDs in the KEV Catalog.

How it works

vuls report

$ vuls report
...
vuls-target (debian10.11)
=========================
Total: 225 (Critical:20 High:79 Medium:95 Low:16 ?:15)
0/222 Fixed, 67 poc, 0 exploits, cisa: 2, uscert: 4, jpcert: 6 alerts
218 installed

+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
|       CVE-ID        | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                        NVD                        |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
...
| CVE-2021-42013      |  9.8 |  AV:N  | POC | CISA/CERT |         | https://nvd.nist.gov/vuln/detail/CVE-2021-42013   |
...
| CVE-2021-41524      |  7.5 |  AV:N  |     |      CERT |         | https://nvd.nist.gov/vuln/detail/CVE-2021-41524   |
| CVE-2021-41773      |  7.5 |  AV:N  | POC | CISA/CERT |         | https://nvd.nist.gov/vuln/detail/CVE-2021-41773   |
| CVE-2008-4609       |  7.1 |  AV:N  |     |      CERT | unfixed | https://nvd.nist.gov/vuln/detail/CVE-2008-4609    |
...

vuls tui

image

What is the Known Exploited Vulnerabilities Catalog?

On November 3, 2021, Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive 22-1 (BOD 22-1) for government agencies.

In BOD 22-1, Known Exploited Vulnerabilities (KEV) Catalog, which is "a list of CVE-IDs whose attack code is available and is actually used in real-world attacks", was published.

BOD22-1 requires that if a vulnerability listed in the KEV Catalog exists in a U.S. government system, it must be fixed within a specified period of time and in a specified method.

Currently, CVEs are scored under the Common Vulnerability Scoring System (CVSS). CVSS does not take into consideration whether a vulnerability has ever been used to exploit a system in the wild. The CVEs listed in the KEV Catalog are a collection of real threats that have been used to compromise systems in the real world.

Reference

Changelog

0c6a892 style: fix lint (#1335)
89d94ad feat(detector): add known exploited vulnerabilities (#1331)
ffdb789 update dictionaries (#1326)
321dae3 chore: update readme
a31797a Merge branch 'sakura'
32999cf chore: udpate readme
88218f5 chore: update sponsor (#1325)
1576193 chore: update sponsor
0b62842 chore: fix go-sqlite3 deps (#1324)
6bcedde chore: update goval-dictionary (#1323)
2dcbff8 chore: sponsor (#1321)

Assets 16
Loading