Skip to main content

A wildly opinionated client for the CISA Known Exploited Vulnerabilities (KEV) catalog

Project description

CISA Known Exploited Vulnerabilities (KEV) Catalog client

A wildly opinionated Python 3 client for the CISA Known Exploited Vulnerabilities (KEV) Catalog.

Features

  • Automatically download the latest version of the CISA KEV catalog;
  • Query the catalog using dataclasses, Pandas, or Polars;
  • Query the catalog from the command line and return the results in JSON, JSONL, CSV, or Parquet format; and
  • Optionally disable the use of TLS certificate verification (i.e. for users operating within a network where TLS MitM is being performed, and cisa.gov has not been allowlisted)

ℹ️ The CISA KEV catalog will be downloaded to a file named f70af4e5-602d-4b6f-a6cd-01be603ae2bb/known_exploited_vulnerabilities.json in the system's temporary directory by default

ℹ️ The download location can be customized through both the library and command line

Installation

To install using pip:

python3 -m pip install cisa_kev

To add to a Poetry project:

poetry add cisa_kev

To install from source:

poetry install

Usage

Command line

The following commands are equivalent:

poetry run cisa_kev
poetry run kev
poetry run tool
python3 cisa_kev/cli.py

Getting help from the command line

To view the usage guide:

poetry run cisa_kev --help
Usage: cisa_kev [OPTIONS] COMMAND [ARGS]...

  CISA Known Exploited Vulnerabilities (KEV) Catalog

Options:
  --download-path TEXT            [default: /var/folders/ps/c0fn47n54sg08wck9_
                                  x9qncr0000gp/T/f70af4e5-602d-4b6f-a6cd-01be6
                                  03ae2bb/known_exploited_vulnerabilities.json
                                  ]
  --download-url TEXT             [default: https://www.cisa.gov/sites/default
                                  /files/feeds/known_exploited_vulnerabilities
                                  .json]
  --verify-tls / --no-verify-tls  [default: verify-tls]
  --help                          Show this message and exit.

Commands:
  download  Download the latest version of the catalog.
  query     Query the catalog.

Downloading the CISA KEV catalog from the command line

To download the latest version of the CISA KEV catalog:

poetry run cisa_kev download
INFO:cisa_kev.client:Writing https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json to /var/folders/ps/c0fn47n54sg08wck9_x9qncr0000gp/T/f70af4e5-602d-4b6f-a6cd-01be603ae2bb/known_exploited_vulnerabilities.json

To disable TLS certificate validation:

poetry run cisa_kev --no-verify-tls download

To customize where the catalog will be downloaded to:

poetry run cisa_kev --download-path data/known_exploited_vulnerabilities.json download

ℹ️ The output directory will be automatically created if it does not already exist.

Querying the CISA KEV catalog from the command line

The following options are available when querying the catalog via the command line:

poetry run cisa_kev query --help
Usage: cisa_kev query [OPTIONS]

  Query the catalog.

Options:
  --cve-id TEXT
  --vendor TEXT
  --product TEXT
  --ransomware-related / --not-ransomware-related
  --overdue / --not-overdue
  --min-date-added PARSE_DATE
  --max-date-added PARSE_DATE
  --min-due-date PARSE_DATE
  --max-due-date PARSE_DATE
  -o, --output-file TEXT
  --output-format [csv|json|jsonl|parquet]
                                  [default: json]
  --help                          Show this message and exit.

To search for vulnerabilities known to be used in ransomware campaigns in the wild:

poetry run cisa_kev query --ransomware-related --output-format=jsonl | jq
...
{
  "cve_id": "CVE-2023-34362",
  "vendor": "Progress",
  "product": "MOVEit Transfer",
  "name": "Progress MOVEit Transfer SQL Injection Vulnerability",
  "description": "Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.",
  "date_added": "2023-06-02",
  "due_date": "2023-06-23",
  "required_action": "Apply updates per vendor instructions.",
  "known_ransomware_campaign_use": true,
  "notes": "This CVE has a CISA AA located here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a. Please see the AA for associated IOCs. Additional information is available at: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023."
}
...

To search for vulnerabilities by CVE ID:

poetry run kev query --cve-id=CVE-2023-34362 --cve-id=CVE-2014-0160 --output-format=jsonl | jq
{
  "cve_id": "CVE-2014-0160",
  "vendor": "OpenSSL",
  "product": "OpenSSL",
  "name": "OpenSSL Information Disclosure Vulnerability",
  "description": "The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information.",
  "date_added": "2022-05-04",
  "due_date": "2022-05-25",
  "required_action": "Apply updates per vendor instructions.",
  "known_ransomware_campaign_use": false,
  "notes": ""
}
{
  "cve_id": "CVE-2023-34362",
  "vendor": "Progress",
  "product": "MOVEit Transfer",
  "name": "Progress MOVEit Transfer SQL Injection Vulnerability",
  "description": "Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.",
  "date_added": "2023-06-02",
  "due_date": "2023-06-23",
  "required_action": "Apply updates per vendor instructions.",
  "known_ransomware_campaign_use": true,
  "notes": "This CVE has a CISA AA located here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a. Please see the AA for associated IOCs. Additional information is available at: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023."
}

To search for vulnerabilities by vendor:

poetry run cisa_kev query --vendor=microsoft --output-format=jsonl | jq -c
...
{"cve_id":"CVE-2023-36036","vendor":"Microsoft","product":"Windows","name":"Microsoft Windows Cloud Files Mini Filter Driver Privilege Escalation Vulnerability","description":"Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges.","date_added":"2023-11-14","due_date":"2023-12-05","required_action":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","known_ransomware_campaign_use":false,"notes":"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36036"}
{"cve_id":"CVE-2023-36584","vendor":"Microsoft","product":"Windows","name":"Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability","description":"Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features.","date_added":"2023-11-16","due_date":"2023-12-07","required_action":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","known_ransomware_campaign_use":false,"notes":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36584"}
{"cve_id":"CVE-2023-29357","vendor":"Microsoft","product":"SharePoint Server","name":"Microsoft SharePoint Server Privilege Escalation Vulnerability","description":"Microsoft SharePoint Server contains an unspecified vulnerability that allows an unauthenticated attacker, who has gained access to spoofed JWT authentication tokens, to use them for executing a network attack. This attack bypasses authentication, enabling the attacker to gain administrator privileges.","date_added":"2024-01-10","due_date":"2024-01-31","required_action":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","known_ransomware_campaign_use":false,"notes":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357"}
...

To search for vulnerabilities by vendor and list only CVE IDs you could use jq:

poetry run kev query --vendor=microsoft --output-format=jsonl | jq -r '.cve_id' > example-cve-ids.txt

To search for vulnerabilities by CVE ID using a line-delimited file of CVE IDs:

poetry run kev query --cve-id-file example-cve-ids.txt --ransomware-related --output-format=jsonl | jq -r '.cve_id' | sort
CVE-2013-0074
CVE-2013-2551
CVE-2015-1701
...
CVE-2023-24880
CVE-2023-28252
CVE-2023-36884

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cisa_kev-2.0.2.tar.gz (10.0 kB view details)

Uploaded Source

Built Distribution

cisa_kev-2.0.2-py3-none-any.whl (9.5 kB view details)

Uploaded Python 3

File details

Details for the file cisa_kev-2.0.2.tar.gz.

File metadata

  • Download URL: cisa_kev-2.0.2.tar.gz
  • Upload date:
  • Size: 10.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.7.1 CPython/3.12.1 Darwin/22.6.0

File hashes

Hashes for cisa_kev-2.0.2.tar.gz
Algorithm Hash digest
SHA256 85f7acb13be8ff4e1966ba99aa11dd78724949bc5b8a30f2d73c6c2f87fa30be
MD5 382edeb98462fc83c995e87b758ea7a4
BLAKE2b-256 232917cfe39ca70c05a3ab7cdcb6c000781b7728ac3c31604e0b5c9b8f2a6773

See more details on using hashes here.

File details

Details for the file cisa_kev-2.0.2-py3-none-any.whl.

File metadata

  • Download URL: cisa_kev-2.0.2-py3-none-any.whl
  • Upload date:
  • Size: 9.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.7.1 CPython/3.12.1 Darwin/22.6.0

File hashes

Hashes for cisa_kev-2.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 6a212bd1df3c0e5f3efc00cd512ce8f274486cad58226f3ba0c80c2f956187ac
MD5 90c645d3c88ed4069a53a1631a77b948
BLAKE2b-256 2d13a9468ec86183620769e208f3c020ae15627df370f71f13f703dc75c86c7c

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page