There are a number of sites and services available for researching vulnerabilities, some have been around for a long time (Mitre, NVD) , others are new to the game (OSVDB). Although these sites offer a great mix of information, a new player that’s making access to CVE vulnerability information easier than ever is cvedetails.com (alternatively known as SecurityVulnerability.net). This new twist on CVE search offers the ability to browse vulnerability information by type, date, product, vendor, and CVSS scores using an easy to use interface with a great deal of customization.
As you can see by the above screenshot (using Apache as an example), the layout of CVEdeails gives a great deal of information about vulnerabilities reported, including a helpful breakdown of the type of flaw and number of vulnerabilities reported by year (see the coloured charts at the bottom of the screenshot). Here you can easily filter the vulnerabilities further by year or type simply by clicking on the desired selection. Not only does the interface make filtering your search criteria easier, but management will love charts…. just saying
Diving into the “Execute Code” vulnerabilities (after all, that’s the real juicy stuff), CVEdetails gives you a full breakdown of CVE information with some nice additional features. I particularly like the ability to easily see the CVSS scores, as well as the “gained access level” and access (remote|local). This, alongside the ability to easily filter by CVSS score, makes researching vulnerabilities a lot easier. The eagle-eyed amongst you will also have noticed the “# of Exploits” column. This gives an indication (I say this, because not all exploits are publicly available) of the exploits available.
By clicking on one of the CVE listing we get a good overview of the vulnerability (as you’d expect, this information is based on centrally stored information), however the addition of some handy links in the “Vulnerable Products” list is a nice bonus. Here you can easily expand/narrow your search by looking at other vulnerabilities for the affected product versions. The ability to also look at vulnerability trends for specific product versions is also something that will come in useful for a number of us I’m sure. Again, management love charts, and I can see this kind of charting being used in reports t convey the issue of outdated software more clearly to management.
Overall CVEdetails seems like a step in the right direction when it comes to providing useful information in an easy to find/use interface. The ability to view large amounts of vulnerability information and filter it to your requirements is a real timesaver, and the level of customization within the searches provides exactly what you’re looking for without the headache of manually sifting through pages and pages of CVEs before you finally find the one you need. I know there are a lot of other alternatives out there, but adding CVEdetails to this list certainly won’t hurt!
- CVEdetails –> http://www.cvedetails.com
- SecurityVulnerability.net –> http://www.securityvulnerability.net
- Mitre CVE (Common Vulnerabilities and Exposures) –> http://cve.mitre.org/
- Mitre CWE (Common Weakness Enumeration) –> http://cwe.mitre.org/
- NVD (National Vulnerability Database) –> http://nvd.nist.gov/
- OSVDB (Open Source Vulnerability Database)–>http://osvdb.org/
- OVAL (Open Vulnerability and Assessment Language) –> http://oval.mitre.org/