Transilience is announcing the availability of richest set of vulnerability data over the API for usage for developers who can use them in their CI/CD pipelines or for vendors who want to augment their vulnerability data.
What is the problem with existing vulnerability data ?
We all have heard complaints about the vulnerability data from NVD is not useful for prioritization. There are two main issues with understanding and prioritizing vulnerabilities :
- Lack of structured information around true impact of vulnerabilities
- Lack of structured information around vendor and product specific details of vulnerabilities
Lack of information around true impact of vulnerabilities
The current NVD does not capture true impact of CVEs, both breadth and depth. The CIA rating does not capture the true nature of the impact and the severity of CIA is rated HIGH for majority of CVES
We are capturing about 75 different attributes of impact of CVEs, such as
- Confidentiality
- `read_application_data` - `read_application_data_reason` - `read_files_or_directories` - `read_files_or_directories_reason` - `read_memory` - `read_memory_reason`
- Ingegrity
- `modify_application_data` - `modify_application_data_reason` - `modify_files_or_directories` - `modify_files_or_directories_reason` - `modify_memory` - `modify_memory_reason` - `unauthorized_code_or_commands` - `unauthorized_code_or_commands_reason` - `alter_execution_logic` - `alter_execution_logic_reason` - `unexpected_state` - `unexpected_state_reason`
- Availability
**`unreliable_execution`:** - `crash_exit_or_restart` - `crash_exit_or_restart_reason` - `instability` - `instability_reason` - `amplification` - `amplification_reason` ** `resource_consumption`:** - `cpu` - `cpu_reason` - `memory` - `memory_reason` - `other` - `other_reason` **Under `quality_degradation`:** - `reduce_maintainability` - `reduce_maintainability_reason` - `reduce_performance` - `reduce_performance_reason` - `reduce_reliability` - `reduce_reliability_reason`
Lack of structured information around vendor and product specific details
Vendor advisory pages have lot more specificity around
- which products are vulnerable or not vulnerable
- pre-requisites for exploitation of a vulnerability
- workarounds for vulnerabilities
- exploit steps , detection steps etc
Transilience captures around 50+ details of vendor information
Both the impact and vendor details information is available for you over the API.
How to use ?
The API is documented at https://vulns.transilienceapi.com/docs
Step 1 - create the API key with a valid email
Step 2 - use the API
What are the APIs ?
- Get basic information of a given set of CVEs. We have included EPSS scores and EPSS percentile information along with the "basic" CVE information from N
- Get detailed information on a CVE. The impact and vendor details are available on this API
- Restrictions
- The APIs are available for free for anyone, as long as they are 20 per minute
- For bulk use of APIs, contact hello@transilience.ai.
Example Usage
Example - Get Impact Details of a CVE
Below is an example of a call to the `cves/cve` endpoint and the details of the impact of the cve.
Python url = f"https://vulns.transilienceapi.com/cves/CVE-2024-13269" headers = { "x-api-key": "efb43e25-86d1-4ebf-b543-xxxxx" } response = requests.request("GET", url, headers=headers) json.loads(response.text)['impact'] {'confidentiality': {'read_application_data': True, 'read_application_data_reason': 'The vulnerability allows sensitive information to be inserted into sent data, which can be read by unauthorized users.', 'read_files_or_directories': False, 'read_files_or_directories_reason': 'No direct access to files or directories is indicated by the vulnerability.', 'read_memory': False, 'read_memory_reason': 'The vulnerability does not imply the ability to read memory.'}, 'integrity': {'modify_application_data': True, 'modify_application_data_reason': 'The vulnerability allows for the modification of application data due to forceful browsing.', 'modify_files_or_directories': False, 'modify_files_or_directories_reason': 'No indication that files or directories can be modified.', 'modify_memory': False, 'modify_memory_reason': 'The vulnerability does not imply the ability to modify memory.', 'unauthorized_code_or_commands': False, 'unauthorized_code_or_commands_reason': 'The vulnerability does not allow for the execution of unauthorized code or commands.', 'alter_execution_logic': False, 'alter_execution_logic_reason': 'No indication that execution logic can be altered.', 'unexpected_state': False, 'unexpected_state_reason': 'The vulnerability does not cause unexpected states.'}, 'availability': {'unreliable_execution': {'crash_exit_or_restart': False, 'crash_exit_or_restart_reason': 'The vulnerability does not cause crashes or restarts.', 'instability': False, 'instability_reason': 'No indication of instability due to this vulnerability.', 'amplification': False, 'amplification_reason': 'The vulnerability does not cause amplification.'}, 'resource_consumption': {'cpu': False, 'cpu_reason': 'No indication of CPU resource consumption.', 'memory': False, 'memory_reason': 'No indication of memory resource consumption.', 'other': '', 'other_reason': ''}, 'quality_degradation': {'reduce_maintainability': False, 'reduce_maintainability_reason': 'No indication that maintainability is reduced.', 'reduce_performance': False, 'reduce_performance_reason': 'No indication that performance is reduced.', 'reduce_reliability': False, 'reduce_reliability_reason': 'No indication that reliability is reduced.', 'other': '', 'other_reason': ''}}, 'access': {'gain_privileges': False, 'gain_privileges_reason': 'The vulnerability does not allow for privilege escalation.', 'bypass_protection': True, 'bypass_protection_reason': 'Forceful browsing indicates the ability to bypass certain protections.'}}
Example - Getting details of vendor advisories over the API
Lets take a look at the SSH vulnerability example, CVE-2024-6387
Number of products mentioned for all the vendors -
url = f"https://vulns.transilienceapi.com/cves/CVE-2024-6387" headers = { "x-api-key": "efb43e25-86d1-4ebf-b543-xxxxxx" } response = requests.request("GET", url, headers=headers) len (json.loads(response.text)['vendors_exploits_details']) 422
Am I vulnerable ? List of products over the API
url = f"https://vulns.transilienceapi.com/cves/CVE-2024-6387" headers = { "x-api-key": "efb43e25-86d1-4ebf-b543-591bb0fa146e" } response = requests.request("GET", url, headers=headers) # Get unique vendor product names from vendors_exploits_details vendor_products = set() for item in json.loads(response.text)['vendors_exploits_details']: if 'vulnerable_product.vendor_product_name' in item: vendor_products.add(item['vulnerable_product.vendor_product_name']) print(vendor_products) {'Debian 10', 'Red Hat Enterprise Linux for Power (little endian) Extended Update Support', 'Azure Kubernetes Service (AKS)', 'OpenSSH for Windows', 'Security Software', 'Red Hat Enterprise Linux for Power (little endian)', 'Red Hat CoreOS (RHCOS)', 'OpenSSH (Linux)', 'OpenSSH-Clients', 'RHEL', 'Unknown', 'Red Hat Enterprise Linux Server for Power LE Update Services for SAP Solutions', 'Red Hat Enterprise Linux Extended Update Support', 'OpenSSH-Askpass', 'OpenSSH', 'CentOS Stream', 'musl libc', 'pkgsrc', 'Red Hat Enterprise Linux for ARM 64 (4 years of updates)', None, 'Red Hat Enterprise Linux for ARM 4 years of updates', 'macOS Monterey', 'AlmaLinux', 'Example Product', 'ONTAP Select Deploy administration utility', 'NetBSD', 'On-Premise Email Security NSM', 'Red Hat Enterprise Linux (RHEL)', 'Portable OpenSSH', 'Debian 12.5', 'E-Series SANtricity OS Controller Software', 'OpenShift Container Platform (OCP)', 'macOS', 'SonicWall Switches', 'OpenSSH-Keycat', 'Red Hat Enterprise Linux Server AUS', 'Red Hat OpenShift Container Platform', 'Red Hat Enterprise Linux for IBM Systems (4 years of updates)', 'Red Hat Enterprise Linux for ARM', 'Gen6 Firewalls', 'Red Hat Enterprise Linux for IBM Systems', 'Red Hat Enterprise Linux Server for Power LE', 'Fedora', 'Red Hat Enterprise Linux for x86_64 Extended Update Support', 'SMA 1000', 'ONTAP 9', 'Older OpenSSH', 'NSM On-Premise', 'Zetsuo (PoC)', 'Ubuntu (from 2006)', 'macOS Ventura', 'PMIx', 'Red Hat Enterprise Linux', 'Red Hat Enterprise Linux for ARM 64 Extended Update Support', 'Red Hat Enterprise Linux for x86_64 Update Services for SAP Solutions', 'OpenSSH Server (sshd)', 'Openwall Software', 'OpenSSH Client', 'Debian-7', 'Red Hat Enterprise Linux for x86_64', 'Counter', 'Red Hat Enterprise Linux for ARM 64', 'Solaris PAM', 'EPEL', 'sshd', 'Red Hat Enterprise Linux for IBM Systems 4 years of updates', 'Alpine Linux', 'glibc-based Linux', 'Linux Kernel', 'OpenSSH server', 'hpn-ssh', 'OpenShift Container Platform', 'OpenSSH Server', 'Qualys Q1Ds', 'Red Hat Enterprise Linux for IBM Systems Extended Update Support', 'Ubuntu', 'SMA 6200/7200/6210/7210', 'OpenSSH-Server', 'OpenBSD', 'Chaos RAT', 'Oracle Linux'}
Example response of a product
json.loads(response.text)['vendors_exploits_details'] {'vulnerable_product.vendor_name': 'Red Hat', 'vulnerable_product.vendor_product_name': 'OpenSSH', 'vulnerable_product.vendor_product_type': 'Security', 'vulnerable_product.vendor_software_name': 'OpenSSH', 'vulnerable_product.operating_system': None, 'vulnerable_product.vendor_advisory_title': None, 'vulnerable_product.vendor_advisory_id': None, 'vulnerable_product.cve_disputed': False, 'vulnerable_product.discrepancy': False, 'vulnerable_product.published_date': None, 'remediation.remediation_steps': "['Upgrade to OpenSSH version 8.9p2 or later.']", 'remediation.mitigations_available': False, 'remediation.mitigation_details': None, 'remediation.mitigation_concern_level': 'High', 'remediation.mitigation_concern_reasoning': 'No mitigations available, upgrading is necessary to remediate the vulnerability.', 'remediation.compensating_controls': 'Implement network segmentation and strict access controls to limit exposure.', 'asset.asset_description': 'OpenSSH is a widely used implementation of the SSH protocol, providing secure remote access and file transfer capabilities.', 'asset.asset_criticality': 'High', 'asset.asset_criticality_reasoning': 'OpenSSH is critical for secure communications in many environments, making its security paramount.', 'asset.application': 'Remote access and file transfer application', 'asset.industry': 'Information Technology', 'asset.sub_industry': None, 'asset.asset_concern_level': 'High', 'asset.asset_concern_reasoning': 'The vulnerability can lead to remote code execution, posing significant risks to systems using OpenSSH.', 'exploit.exploit_steps': None, 'exploit.exploit_code_presence': None, 'exploit.exploit_details': None, 'exploit.exploit_impact': None, 'exploit.exploit_commands': None, 'exploit.exploit_detection_steps': None, 'exploit.exploit_detection_commands': None, 'exploit.exploit_dependency': None, 'exploit.exploit_dependency_details': None, 'exploit.exploit_concern_level': None, 'exploit.exploit_concern_reasoning': None, 'exploit.exploit_execution_difficulty': None, 'exploit.exploit_execution_difficulty_reasoning': None, 'exposure_metrics.vulnerability_severity': None, 'exposure_metrics.vulnerability_severity_reasoning': None, 'exposure_metrics.required_privileges': None, 'exposure_metrics.required_privileges_details': None, 'exposure_metrics.special_configuration_needed': None, 'exposure_metrics.special_configuration_details': None, 'exposure_metrics.code_exploitability_likelihood': None, 'exposure_metrics.code_exploitability_reasons': None, 'exposure_metrics.exploit_difficulty': None, 'exposure_metrics.exploit_difficulty_reasoning': None, 'exposure_metrics.asset_criticality': None, 'exposure_metrics.asset_criticality_reasoning': None, 'exposure_metrics.running_as_service': None, 'exposure_metrics.running_as_service_reasoning': None, 'exposure_metrics.listening_on_port': None, 'exposure_metrics.listening_on_port_reasoning': None, 'min_vulnerable_version': None, 'max_vulnerable_version': None, 'remediated_software_version': None, 'not_vulnerable_version': None, 'software_versions_readable': None, 'image': 'www_openwall_com_lists_oss-security_2024_07_10_2.png', 'url': 'http://www.openwall.com/lists/oss-security/2024/07/10/2', 'url_text': '# Analysis of Vendor Response to Software Vulnerability\n\nThe text provided appears to be a discussion among security professionals regarding the handling of vulnerabilities in OpenSSH, specifically focusing on two CVEs: **CVE-2024-6387** and **CVE-2024-6409**. The conversation highlights issues related to the assignment of CVEs, the communication of vulnerabilities, and the responsibilities of various organizations involved in the process.\n\n## Key Points\n\n### Vulnerabilities Discussed\n\n1. **CVE-2024-6387**\n - **Type**: Remote Code Execution (RCE)\n - **Affected Software**: OpenSSH\n - **Affected Versions**: \n - OpenSSH versions up to and including **8.9p1**\n - **Vendor**: Red Hat\n - **Description**: The CVE entry indicates that the vulnerability primarily affects Red Hat systems and their downstream patches. The communication suggests that the description was not clear about the scope of the vulnerability, leading to potential confusion for users relying on automated systems to detect vulnerabilities.\n\n2. **CVE-2024-6409**\n - **Type**: Possible Remote Code Execution due to a race condition in signal handling\n - **Affected Software**: OpenSSH\n - **Affected Versions**: Not explicitly listed in the text, but it is implied that it affects certain versions of OpenSSH.\n - **Vendor**: Red Hat\n - **Description**: Similar to CVE-2024-6387, the description was criticized for lacking clarity regarding the consequences of the vulnerability.\n\n### Vendor and Product Information\n\n| **Vendor** | **Product** | **Vulnerable Versions** | **Non-Vulnerable Versions** |\n|------------|-------------|-------------------------|------------------------------|\n| Red Hat | OpenSSH | Up to 8.9p1 | Not specified |\n\n### Communication Issues\n\n- The text indicates a lack of clarity in the CVE descriptions, particularly regarding which versions of OpenSSH are affected. This can lead to confusion for users and organizations that rely on CVE databases for vulnerability management.\n- There is a suggestion that the CVE process has serious failures, making it nearly useless for consumers of this information. The need for better communication and documentation is emphasized.\n\n### Recommendations for Improvement\n\n- **CVE Descriptions**: It is recommended that CVE descriptions be improved to clearly state the affected versions and the implications of the vulnerabilities.\n- **CPE Listings**: There is a call for including Common Platform Enumeration (CPE) entries for upstream OpenSSH to ensure that users are aware of vulnerabilities in the software they are using.\n- **Coordination Among CNAs**: The text discusses the importance of coordination among different CVE Numbering Authorities (CNAs) to ensure that vulnerabilities are reported and documented accurately.\n\n### Conclusion\n\nThe discussion highlights critical issues in the management and communication of software vulnerabilities, particularly concerning OpenSSH and Red Hat. The need for clear, accurate, and comprehensive information is paramount for organizations to effectively manage their security posture. The conversation serves as a reminder of the complexities involved in vulnerability management and the importance of collaboration among stakeholders in the security community.\n\n### References\n\n- [CVE-2024-6387 Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387)\n- [CVE-2024-6409 Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6409)\n- [OpenSSH Official Site](https://www.openssh.com)\n\nThis analysis provides a comprehensive overview of the vendor response to the software vulnerabilities discussed in the text, focusing on the implications for users and the need for improved communication in the CVE process.', 'cve_content': "A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.", 'cve': 'CVE-2024-6387', 'date_published': '2024-07-01T13:15:06.467', 'severity': None, 'created_date': None, 'vulnerable_product.discrepancy_reason': None, 'vulnerable_product.vendor_product': None, 'vulnerable_product.vendor_software': None, 'vulnerable_product.vendor_software_version': None, 'vulnerable_product.is_vulnerable': None, 'vulnerable_product.vendor_max_vulnerable_version_including': None, 'vulnerable_product.vendor_min_vulnerable_version_including': None, 'vulnerable_product.vulnerable_reason': None, 'vulnerable_product.precondition_configuration': None, 'vulnerable_product.criticalcondition_configuration': None, 'remediation.remediation_rationale': None, 'remediation.remediation_version': None, 'remediation.remediated_version': None, 'remediation.workaround': None, 'remediation.mitigation_conditions': None, 'exploit.exploit_conditions': None, 'vulnerability_probability.internet_reachability': None, 'vulnerability_probability.internet_reachability_reasoning': None, 'vulnerability_probability.port_probability': None, 'vulnerability_probability.port_probability_reasoning': None, 'vulnerability_probability.package_running_probability': None, 'vulnerability_probability.package_running_probability_reasoning': None, 'vulnerability_probability.dependency_probability': None, 'vulnerability_probability.dependency_probability_reasoning': None, 'vulnerability_probability.function_probability': None, 'vulnerability_probability.function_probability_reasoning': None, 'vulnerability_probability.configuration_probability': None, 'vulnerability_probability.configuration_probability_reasoning': None, 'vulnerability_probability.overall_probability': None, 'vulnerability_probability.overall_probability_reasoning': None, 'vulnerable_software_versions': None, 'vulnerability_probability.internet_reachability_probability': None, 'vulnerability_probability.code_path_probability': None, 'vulnerability_probability.code_path_probability_reasoning': None, 'vulnerability_probability.pattern_description': None, 'vulnerability_probability.vendor_comments': None, 'vulnerability_probability.complexity_of_exploitation': None, 'vulnerability_probability.complexity_of_exploitation_reasoning': None, 'vulnerability_probability.rarity_of_vulnerability': None, 'vulnerability_probability.rarity_of_vulnerability_reasoning': None, 'vulnerability_probability.pattern_likelihood_of_exploitability': None, 'vulnerability_probability.pattern_likelihood_of_exploitability_reasoning': None, 'vulnerable': None }
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article