A coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.
Watch this space.
AWS publishes security bulletins for its various components. I didn't know they did that; nice surprise.
RSS: https://aws.amazon.com/security/security-bulletins/rss/feed/
JVN stands for "the Japan Vulnerability Notes." It is a vulnerability information portal site designed to help ensure Internet security by providing vulnerability information and their solutions for software products used in Japan. JVN is operated jointly by the JPCERT Coordination Center and the Information-technology Promotion Agency (IPA). It's basically Japan's threat intel clearinghouse.
JVN is a vulnerability knowledge-base assisting system administrators and software and other products developers enhance security for their products and customers. Product developers' statements on vulnerabilities include information on affected products, workarounds, and solutions (e.g., updates and patches).
RSS feed: https://jvn.jp/en/rss/jvn.rdf
This repository is used for the development of the CVE JSON record format. Releases of the CVE JSON record format will also be published here. This repository is managed by the CVE Quality Working Group.
cve-schema specifies the CVE record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record. Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit.
This repository is the official CVE List an is a catalog of all CVE Records identified by, or reported to, the CVE Program.
This repository hosts downloadable files of CVE Records in the CVE Record Format (the schema is in another repository). They are updated regularly (about every 7 minutes) using the official CVE Services API. You may search, download, and use the content hosted in this repository, per the CVE Program Terms of Use.
cve-maker is a hub for finding CVEs and exploits. It is based on the official NIST, ExploitDB and Github databases. The tool makes it quick and easy to search for CVEs and their associated exploits. It is able to detect exploit compilation options. It can also be used to list the latest critical vulnerabilities.
Documentation for Ubuntu's vulnerability API.
OpenSCAP represents both a library and a command line tool which can be used to parse and evaluate each component of the SCAP standard. The library approach allows for the swift creation of new SCAP tools rather than spending time learning existing file structure. The command-line tool, called oscap, offers a multi-purpose tool designed to format content into documents or scan the system based on this content. Whether you want to evaluate DISA STIGs, NIST‘s USGCB, or Red Hat’s Security Response Team’s content, all are supported by OpenSCAP.
If your main goal is to perform configuration and vulnerability scans of a local system then oscap can be the right tool for you. It can evaluate both XCCDF benchmarks and OVAL definitions and generate the appropriate results. The tool supports SCAP 1.2 and is backward compatible with SCAP 1.1 and 1.0.
OpenSCAP is available on various Linux distributions, including Red Hat Enterprise Linux, Fedora and Ubuntu. Since version 1.3.0 OpenSCAP supports also Microsoft Windows.
sudo apt-get install libopenscap8
Does not require root access to run. Can generate reports as HTML or XML.
Canonical’s Security Team produces Ubuntu OVAL, a structured, machine-readable dataset for all supported Ubuntu releases. It can be used to evaluate and manage security risks related to any existing Ubuntu components. It is based on the Open Vulnerability and Assessment Language (OVAL).
Ubuntu OVAL also allows for any third-party Security Content Automation Protocol (SCAP) compliant tools to accurately scan an Ubuntu system or an official Ubuntu OCI image for vulnerabilities.
wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
cve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a MongoDB to facilitate search and processing of CVEs.
The main objective of the software is to avoid doing direct and public lookups into the public CVE databases. Local lookups are usually faster and you can limit your sensitive queries via the Internet.
cve-search includes a back-end to store vulnerabilities and related information, an intuitive web interface for search and managing vulnerabilities, a series of tools to query the system and a web API interface.
A utility that, when given a CVE searches Github for a PoC of the vulnerability.
OpenCVE lets you search the CVE you want filtered by vendor, product, CVSS or CWE. Synchronized with the feed provided by the NVD. So each CVE displays the standards you already know (CVE, CPE, CWE, CVSS). You can then subscribe as many vendors or products as you want, and you will be notified as soon as a CVE concerning them is published or updated. Your custom dashboards and reports only include the CVEs associated with your subscriptions, and you can filter the list by keywords of CVSS score. OpenCVE keeps track of the changes, so you can find the history of your alerts in your Reports page. Can be self-hosted if you're concerned about leaking information outside of your organization.
REST API: https://docs.opencve.io/api/
The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
For however long this is still online.