CVEMap is an open-source command-line interface (CLI) tool that allows you to explore Common Vulnerabilities and Exposures (CVEs). It’s designed to offer a streamlined and user-friendly interface for navigating vulnerability databases.
Although CVEs are crucial for pinpointing and discussing security weaknesses, their rapid growth and occasional overstatement of severity often result in misleading information. Security experts, who must be constantly alert to thwart adversaries seeking any vulnerability, are distracted by the sheer volume of CVEs. This can lead to misallocated resources and the neglect of genuinely critical vulnerabilities. This is where CVEMap comes in.
CVEMap leverages a variety of valuable sources for its operations:
Known Exploited Vulnerabilities Catalog (KEV): Managed by CISA, this catalog lists actively exploited vulnerabilities and crucial deadlines, aiding in prioritizing urgent threats.
Exploit Prediction Scoring System (EPSS): This model predicts the likelihood of a vulnerability being exploited, providing a probability score and incorporating real-world data, which goes beyond traditional focus on vulnerability characteristics.
Proofs of Concept (POCs): This includes official PoCs, extensive references, and top-ranked PoCs from GitHub and other platforms, offering insights into exploitability.
HackerOne CVE Discovery: Features CVE reports and rankings from bug bounty hunters on the HackerOne platform.
Exposure on the internet: Offers data on active internet hosts for specific products, giving real-time insights into the global exposure of vulnerabilities.
GitHub and OSS Data: Provides metrics and popularity information for open-source projects affected by CVEs.
Nuclei Templates: A community-curated list of templates for the Nuclei engine to identify vulnerabilities, along with a reliable set of PoCs for easy testing and retesting of vulnerabilities at scale.
“The unique features that make CVEMap stand out are the visualization of multiple data points in a single view, the ability to filter CVEs based on any data point, and CVE to HackerOne reports mapping. In the future, we want to add more data points and use these different data points for CVE prioritization,” Sandeep Singh, CTO at ProjectDiscovery.io, told Help Net Security.
CVEMap is available for free on GitHub.
More open-source tools to consider: