Skip to content
/ cisa_kev Public

A wildly opinionated Python 3 library for working with the CISA Known Exploited Vulnerabilities (KEV) catalog

4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

whitfieldsdad/cisa_kev

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
cisa_kev
cisa_kev
 
 
data
data
 
 
examples
examples
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

CISA Known Exploited Vulnerabilities (KEV) Catalog client

A wildly opinionated Python 3 client for the CISA Known Exploited Vulnerabilities (KEV) Catalog.

⚠️ This project is under active development ⚠️

Features

  • Automatically download the latest version of the CISA KEV catalog;
  • Query the catalog using dataclasses, Pandas, or Polars;
  • Query the catalog from the command line and return the results in JSON, JSONL, CSV, or Parquet format; and
  • Optionally disable the use of TLS certificate verification (i.e. for users operating within a network where TLS MitM is being performed, and cisa.gov has not been allowlisted)

ℹ️ The CISA KEV catalog will be downloaded to a file named f70af4e5-602d-4b6f-a6cd-01be603ae2bb/known_exploited_vulnerabilities.json in the system's temporary directory by default

ℹ️ The download location can be customized through both the library and command line

Installation

To install using pip:

python3 -m pip install cisa_kev

To add to a Poetry project:

poetry add cisa_kev

To install from source:

poetry install

Usage

Command line

The following commands are equivalent:

poetry run cisa_kev
poetry run kev
poetry run tool
python3 cisa_kev/cli.py

Getting help from the command line

To view the usage guide:

poetry run cisa_kev --help
Usage: cisa_kev [OPTIONS] COMMAND [ARGS]...

  CISA Known Exploited Vulnerabilities (KEV) Catalog

Options:
  --download-path TEXT            [default: /var/folders/ps/c0fn47n54sg08wck9_
                                  x9qncr0000gp/T/f70af4e5-602d-4b6f-a6cd-01be6
                                  03ae2bb/known_exploited_vulnerabilities.json
                                  ]
  --download-url TEXT             [default: https://www.cisa.gov/sites/default
                                  /files/feeds/known_exploited_vulnerabilities
                                  .json]
  --verify-tls / --no-verify-tls  [default: verify-tls]
  --help                          Show this message and exit.

Commands:
  download  Download the latest version of the catalog.
  query     Query the catalog.

Downloading the CISA KEV catalog from the command line

To download the latest version of the CISA KEV catalog:

poetry run cisa_kev download
INFO:cisa_kev.client:Writing https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json to /var/folders/ps/c0fn47n54sg08wck9_x9qncr0000gp/T/f70af4e5-602d-4b6f-a6cd-01be603ae2bb/known_exploited_vulnerabilities.json

To disable TLS certificate validation:

poetry run cisa_kev --no-verify-tls download

To customize where the catalog will be downloaded to:

poetry run cisa_kev --download-path data/known_exploited_vulnerabilities.json download

ℹ️ The output directory will be automatically created if it does not already exist.

Querying the CISA KEV catalog from the command line

The following options are available when querying the catalog via the command line:

poetry run cisa_kev query --help
Usage: cisa_kev query [OPTIONS]

  Query the catalog.

Options:
  --cve-id TEXT
  --vendor TEXT
  --product TEXT
  --ransomware-related / --not-ransomware-related
  --overdue / --not-overdue
  --min-date-added PARSE_DATE
  --max-date-added PARSE_DATE
  --min-due-date PARSE_DATE
  --max-due-date PARSE_DATE
  -o, --output-file TEXT
  --output-format [csv|json|jsonl|parquet]
                                  [default: json]
  --help                          Show this message and exit.

To search for vulnerabilities known to be used in ransomware campaigns in the wild:

poetry run cisa_kev query --ransomware-related --output-format=jsonl | jq
...
{
  "cve_id": "CVE-2023-34362",
  "vendor": "Progress",
  "product": "MOVEit Transfer",
  "name": "Progress MOVEit Transfer SQL Injection Vulnerability",
  "description": "Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.",
  "date_added": "2023-06-02",
  "due_date": "2023-06-23",
  "required_action": "Apply updates per vendor instructions.",
  "known_ransomware_campaign_use": true,
  "notes": "This CVE has a CISA AA located here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a. Please see the AA for associated IOCs. Additional information is available at: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023."
}
...

To search for vulnerabilities by CVE ID:

poetry run kev query --cve-id=CVE-2023-34362 --cve-id=CVE-2014-0160 --output-format=jsonl | jq
{
  "cve_id": "CVE-2014-0160",
  "vendor": "OpenSSL",
  "product": "OpenSSL",
  "name": "OpenSSL Information Disclosure Vulnerability",
  "description": "The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information.",
  "date_added": "2022-05-04",
  "due_date": "2022-05-25",
  "required_action": "Apply updates per vendor instructions.",
  "known_ransomware_campaign_use": false,
  "notes": ""
}
{
  "cve_id": "CVE-2023-34362",
  "vendor": "Progress",
  "product": "MOVEit Transfer",
  "name": "Progress MOVEit Transfer SQL Injection Vulnerability",
  "description": "Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.",
  "date_added": "2023-06-02",
  "due_date": "2023-06-23",
  "required_action": "Apply updates per vendor instructions.",
  "known_ransomware_campaign_use": true,
  "notes": "This CVE has a CISA AA located here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a. Please see the AA for associated IOCs. Additional information is available at: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023."
}

To search for vulnerabilities by vendor:

poetry run cisa_kev query --vendor=microsoft --output-format=jsonl | jq -c
...
{"cve_id":"CVE-2023-36036","vendor":"Microsoft","product":"Windows","name":"Microsoft Windows Cloud Files Mini Filter Driver Privilege Escalation Vulnerability","description":"Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges.","date_added":"2023-11-14","due_date":"2023-12-05","required_action":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","known_ransomware_campaign_use":false,"notes":"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36036"}
{"cve_id":"CVE-2023-36584","vendor":"Microsoft","product":"Windows","name":"Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability","description":"Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features.","date_added":"2023-11-16","due_date":"2023-12-07","required_action":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","known_ransomware_campaign_use":false,"notes":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36584"}
{"cve_id":"CVE-2023-29357","vendor":"Microsoft","product":"SharePoint Server","name":"Microsoft SharePoint Server Privilege Escalation Vulnerability","description":"Microsoft SharePoint Server contains an unspecified vulnerability that allows an unauthenticated attacker, who has gained access to spoofed JWT authentication tokens, to use them for executing a network attack. This attack bypasses authentication, enabling the attacker to gain administrator privileges.","date_added":"2024-01-10","due_date":"2024-01-31","required_action":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","known_ransomware_campaign_use":false,"notes":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357"}
...

To search for vulnerabilities by vendor and list only CVE IDs you could use jq:

poetry run kev query --vendor=microsoft --output-format=jsonl | jq -r '.cve_id' > example-cve-ids.txt

To search for vulnerabilities by CVE ID using a line-delimited file of CVE IDs:

poetry run kev query --cve-id-file example-cve-ids.txt --ransomware-related --output-format=jsonl | jq -r '.cve_id' | sort
CVE-2013-0074
CVE-2013-2551
CVE-2015-1701
...
CVE-2023-24880
CVE-2023-28252
CVE-2023-36884

About

A wildly opinionated Python 3 library for working with the CISA Known Exploited Vulnerabilities (KEV) catalog

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages