{"id":13845294,"url":"https://github.com/scmanjarrez/CVEScannerV2","last_synced_at":"2025-07-12T01:32:40.161Z","repository":{"id":38791273,"uuid":"394989237","full_name":"scmanjarrez/CVEScannerV2","owner":"scmanjarrez","description":"Nmap script that scans for probable vulnerabilities based on services discovered in open ports. ","archived":false,"fork":false,"pushed_at":"2024-04-25T12:20:34.000Z","size":13091,"stargazers_count":79,"open_issues_count":3,"forks_count":13,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-08-05T17:44:14.739Z","etag":null,"topics":["exploit","exploit-db","metasploit","nmap","nmap-scan","nmap-scan-script","nmap-script","nmap-scripts","nse","nsescript","penetration-testing","security","security-audit","security-scanner","vulnerability","vulnerability-databases","vulnerability-detection","vulnerability-identification","vulnerability-scanners","vulnerability-scanning"],"latest_commit_sha":null,"homepage":"","language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scmanjarrez.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-08-11T12:57:45.000Z","updated_at":"2024-07-31T07:00:51.000Z","dependencies_parsed_at":"2023-02-17T02:45:18.265Z","dependency_job_id":"a1bcd846-5125-4773-86a9-20d4bdf52292","html_url":"https://github.com/scmanjarrez/CVEScannerV2","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scmanjarrez%2FCVEScannerV2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scmanjarrez%2FCVEScannerV2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scmanjarrez%2FCVEScannerV2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scmanjarrez%2FCVEScannerV2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scmanjarrez","download_url":"https://codeload.github.com/scmanjarrez/CVEScannerV2/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225784374,"owners_count":17523632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","exploit-db","metasploit","nmap","nmap-scan","nmap-scan-script","nmap-script","nmap-scripts","nse","nsescript","penetration-testing","security","security-audit","security-scanner","vulnerability","vulnerability-databases","vulnerability-detection","vulnerability-identification","vulnerability-scanners","vulnerability-scanning"],"created_at":"2024-08-04T17:03:19.218Z","updated_at":"2025-07-12T01:32:40.127Z","avatar_url":"https://github.com/scmanjarrez.png","language":"Lua","funding_links":[],"categories":["Lua"],"sub_categories":[],"readme":"# Description\nNmap script that provides information about probable vulnerabilities based on discovered services.\n\n**Contents:**\n - [Technical details](#technical-details)\n - [Requirements](#requirements)\n - [Optional](#optional)\n - [Execution](#execution)\n - [Output](#output)\n - [Errors and fixes](#errors-and-fixes)\n - [Blocked IP](#blocked-ip)\n - [Missing luasql](#missing-luasql)\n - [Docker container](#docker-container)\n - [Query database](#query-database)\n - [Acknowledgements](#acknowledgements)\n - [License](#license)\n\n\n# Technical details\nThe current implementation take care of the following cases:\n\n- If Nmap detects:\n - `cpe` **AND** `version`: vulnerabilities affecting `version` and\n vulnerabilities affecting a range of versions that include `version`.\n - `cpe` **AND** `version range`: vulnerabilities affecting versions\n between `version range` (included).\n - `cpe` but **NO** `version`: vulnerabilities that affect\n every version of the product.\n - If no vulnerabilities were found with `cpe` and `version`\n returned from Nmap, HTTP detection is used.\n - **NO** `cpe`: HTTP detection is used.\n\n- HTTP detection:\n - Used only if port matches **HTTP**/**SSL**/**UPnP**.\n - An HTTP GET request is sent for every combination of _path_\n and _extension_ in `extra/http-paths-vulnerscom.json`, comparing\n the request headers/body with the regexes in\n `extra/http-regex-vulnerscom.json`.\n - Finally, the _home_ page html is analyzed in search for library paths.\n The script tries to obtain the name and version from library location;\n then does an HTTP GET to that path in order to inspect the code\n of the library and analyze the starting commenot looking for the version.\n\n\u003e Nmap library shortport is used to detect if port matches HTTP/SSL.\n\n# Requirements\nIn order to run **cvescannerv2** script, you need the following files present\nin your working directory\n- CVE database: `cve.db`\n- Paths file: `extra/http-paths-vulnerscom.json`\n- Regex file: `extra/http-regex-vulnerscom.json`\n- Product-aliases file: `extra/product-aliases.json`\n\nIn addition, you must have installed `lua-sql-sqlite3` (ubuntu)\nor `lua5.4-sql-sqlite3` (alpine) packages\n\n## Optional\nIf you don't have the database `cve.db`, you can build it\nusing the script `extra/database.py` or download a (semiupdated) copy\nfrom [CVEScannerV2DB](https://github.com/scmanjarrez/CVEScannerV2DB) using `.sql` files\nor under Actions-\u003eLatest-\u003eSummary-\u003eArtifacts\n\n\u003e This repository is updated every two weeks\n\n```bash\npip install -r extra/requirements.txt\npython extra/database.py\n```\n\n```bash\ngit clone https://github.com/scmanjarrez/CVEScannerV2DB\ncd CVEScannerV2DB \u0026\u0026 sh build.sh\n```\n\n\u003e **Note:** In order to execute `extra/database.py`, you need to\n\u003e [request an API key](https://nvd.nist.gov/developers/request-an-api-key)\n\u003e and save it to a file named `.api` on your current working directory\n\u003e or in the environment variable `NVD_KEY`.\n\n# Execution\nTo run the script, use the following syntax\n```\nnmap -sV --script cvescannerv2 \u003cTARGET\u003e\nnmap -sV --script cvescannerv2 --script-args log=logfile.log,json=logfile.json \u003cTARGET\u003e\n```\n\nIt is possible to modify the behaviour to some extent using the\nfollowing arguments: db, maxcve, http, maxredirect, log, json,\npath, regex, aliases, service and version.\n\u003cdetails\u003e\n \u003csummary\u003e\u003cb\u003escript-args default values\u003c/b\u003e\u003c/summary\u003e\n\n db: cve.db\n maxcve: 10\n http: 1\n maxredirect: 1\n log: cvescannerv2.log\n json: cvescannerv2.json\n path: extra/http-paths-vulnerscom.json\n regex: extra/http-regex-vulnerscom.json\n aliases: extra/product-aliases.json\n service: all\n version: all\n\u003c/details\u003e\n\n\u003cdetails\u003e\n \u003csummary\u003e\u003cb\u003escript-args examples\u003c/b\u003e\u003c/summary\u003e\n\n nmap -sV --script cvescannerv2 --script-args db=cve.db \u003cTARGET\u003e\n nmap -sV --script cvescannerv2 --script-args maxcve=5 \u003cTARGET\u003e\n\n # Change reports path\n nmap -sV --script cvescannerv2 --script-args log=scan2023.log,json=scan2023.json \u003cTARGET\u003e\n\n # Only scan certain service/version\n nmap -sV --script cvescannerv2 --script-args service=http_server,version=2.4.57 \u003cTARGET\u003e\n\n # Disable HTTP detection\n nmap -sV --script cvescannerv2 --script-args http=0 \u003cTARGET\u003e\n\u003c/details\u003e\n\n\u003e **Note**: `cvescannerv2.nse` can be placed in Nmap default script directory\n\u003e for global execution.\n\u003e\n\u003e - Linux and OSX default script locations:\n\u003e - /usr/local/share/nmap/scripts/\n\u003e - /usr/share/nmap/scripts/\n\u003e - /opt/local/share/nmap/scripts/\n\u003e - /usr/local/Cellar/nmap/\u003ci\u003e\u0026lt;version\u0026gt;\u003c/i\u003e/share/nmap/scripts/\n\u003e\n\u003e - Windows default script locations:\n\u003e - C:\\Program Files\\Nmap\\Scripts\n\u003e - %APPDATA%\\nmap\n\u003e\n\u003e It's recommended to create a **symbolic link**, so changes in repository are reflected\n\u003e in the script.\n\n## Output\nCVEScannerV2 will show CVEs related to every `service-version` discovered.\n\u003e **Note**: This script depends on heuristics implemented in Nmap, so if it doesn't\n\u003e detect a service or is detected incorrectly, CVEScannerV2 will show an incorrect output.\n\n\u003cdetails\u003e\n \u003csummary\u003e\u003cb\u003eNmap output\u003c/b\u003e\u003c/summary\u003e\n\n PORT STATE SERVICE VERSION\n 22/tcp open ssh OpenSSH 7.1 (protocol 2.0)\n | cvescannerv2:\n | product: openssh\n | version: 4.7\n | vupdate: p1\n | cves: 38\n | \tCVE ID \tCVSSv2\tCVSSv3\tExploitDB \tMetasploit\n | \tCVE-2016-1908 \t7.5 \t9.8 \tNo \tNo\n | \tCVE-2023-38408 \tnil \t9.8 \tNo \tNo\n | ...\n | \tCVE-2016-6515 \t7.8 \t7.5 \tYes \tNo\n |_\n ...\n ...\n 3306/tcp open mysql MySQL 5.5.20-log\n | cvescannerv2:\n | product: mysql\n | version: 5.0.51\n | vupdate: a\n | cves: 212\n | \tCVE ID \tCVSSv2\tCVSSv3\tExploitDB \tMetasploit\n | \tCVE-2009-2446 \t8.5 \t- \tNo \tNo\n | ...\n | \tCVE-2009-4484 \t7.5 \t- \tNo \tYes\n | \tCVE-2008-0226 \t7.5 \t- \tNo \tYes\n |_\n ...\n ...\n\u003c/details\u003e\n\nLog file **\\*.log** contains every _exploit/metasploit_ found.\n\n\u003cdetails\u003e\n \u003csummary\u003e\u003cb\u003ecvescannerv2.log\u003c/b\u003e\u003c/summary\u003e\n\n ## 2023-08-26T14:38:30+00:00\n\n [*] host: 192.168.69.129\n [*] port: 22\n [+] protocol: tcp\n [+] service: ssh\n [+] cpe: cpe:/a:openbsd:openssh:4.7p1\n [+] product: openssh\n [+] version: 4.7\n [+] vupdate: p1\n [+] cves: 38\n [-] \tid: CVE-2016-1908 \tcvss_v2: 7.5 \tcvss_v3: 9.8\n [-] \tid: CVE-2023-38408 \tcvss_v2: nil \tcvss_v3: 9.8\n ...\n [-] \tid: CVE-2016-6515 \tcvss_v2: 7.8 \tcvss_v3: 7.5\n [!] \t\tExploitDB:\n [#] \t\t\tname: nil\n [#] \t\t\tid: 40888\n [#] \t\t\turl: https://www.exploit-db.com/exploits/40888\n [-] \tid: CVE-2010-4478 \tcvss_v2: 7.5 \tcvss_v3: -\n ...\n -------------------------------------------------\n [*] host: 192.168.69.129\n [*] port: 3306\n [+] protocol: tcp\n [+] service: mysql\n [+] cpe: cpe:/a:mysql:mysql:5.0.51a-3ubuntu5\n [+] product: mysql\n [+] version: 5.0.51\n [+] vupdate: a\n [+] cves: 212\n [-] \tid: CVE-2009-2446 \tcvss_v2: 8.5 \tcvss_v3: -\n ...\n [-] \tid: CVE-2009-4484 \tcvss_v2: 7.5 \tcvss_v3: -\n [!] \t\tMetasploit:\n [#] \t\t\tname: exploit/linux/mysql/mysql_yassl_getname\n [-] \tid: CVE-2008-0226 \tcvss_v2: 7.5 \tcvss_v3: -\n [!] \t\tMetasploit:\n [#] \t\t\tname: exploit/linux/mysql/mysql_yassl_hello\n [#] \t\t\tname: exploit/windows/mysql/mysql_yassl_hello\n ...\n\u003c/details\u003e\n\nLog file **\\*.json** contains the same information but formatted as **json**\n\n\u003cdetails\u003e\n \u003csummary\u003e\u003cb\u003ecvescannerv2.json\u003c/b\u003e\u003c/summary\u003e\n\n {\n \"192.168.69.129\": {\n \"ports\": {\n \"22/tcp\": {\n \"services\": [\n {\n \"vupdate\": \"p1\",\n \"vulnerabilities\": {\n \"total\": 38,\n \"info\": \"scan\",\n \"cves\": {\n \"CVE-2014-1692\": {\n \"cvssv2\": 7.5,\n \"cvssv3\": \"-\"\n },\n ...\n \"CVE-2016-6210\": {\n \"cvssv3\": 5.9,\n \"exploitdb\": [\n {\n \"id\": 40113,\n \"url\": \"https://www.exploit-db.com/exploits/40113\"\n },\n {\n \"id\": 40136,\n \"url\": \"https://www.exploit-db.com/exploits/40136\"\n }\n ],\n \"metasploit\": [\n {\n \"name\": \"auxiliary/scanner/ssh/ssh_enumusers\"\n }\n ],\n \"cvssv2\": 4.3\n },\n }\n ...\n },\n \"cpe\": \"cpe:/a:openbsd:openssh:4.7p1\",\n \"name\": \"ssh\",\n \"version\": \"4.7\",\n \"product\": \"openssh\"\n }\n ]\n },\n ...\n \"timestamp\": \"2023-08-26T14:38:30+00:00\"\n }\n }\n\u003c/details\u003e\n\n\u003e You can find the full output of **metasploitable2/3** in `example_data`.\n\n# Errors and fixes\n## Blocked IP\n\u003e Connection timeout/error during CRAWL phase (`database.py`)\n\n**Fix:** Wait 15 minutes before re-running `database.py`.\n\n## Missing luasql\n\u003e cvescannerv2.nse:54: module 'luasql.sqlite3' not found:\u003cbr\u003e\n\u003e NSE failed to find nselib/luasql/sqlite3.lua in search paths.\u003cbr\u003e\n\u003e ...\n\n**Fix:** Install the library based on your OS (check [Requirements](#requirements))\nand create a symlink to Nmap search path.\n```bash\napt install lua-sql-sqlite3\nln -s /usr/lib/x86_64-linux-gnu/lua /usr/local/lib/lua\n```\n\n```bash\napk add --no-cache lua5.4-sql-sqlite3\nln -s /usr/lib/lua /usr/local/lib/lua\n```\n\u003e Above commands may require super user permissions.\n\n# Docker container\nWe have prepared two containers configured and ready to be used, you can download them\nfrom DockerHub\n- Database embedded version: `scmanjarrez/cvescanner:db` or `scmanjarrez/cvescanner:latest`\n- No database: `scmanjarrez/cvescannerv2:nodb`\n\n```bash\ndocker run -v /tmp/cvslogs:/tmp/cvslogs scmanjarrez/cvescanner --script-args log=/tmp/cvslogs/scan.log,json=/tmp/cvslogs/scan.json \u003cTARGET\u003e\n\ndocker run -v ./cve.db:/CVEScannerV2/cve.db -v /tmp/cvslogs:/tmp/cvslogs scmanjarrez/cvescanner:nodb --script-args log=/tmp/cvslogs/cvescannerv2.log,json=/tmp/cvslogs/cvescannerv2.json \u003cTARGET\u003e\n```\n\n\u003e **Note**: You can find your logs in `/tmp/cvslogs` directory\n\n# Query database\nThere is a helper script, `extra/query.py` to retrieve information directly from the\nsqlite database.\n\n```bash\npython extra/query.py -h\nusage: query.py [-h] [-c CVE] -p PRODUCT [-v VERSION] [-u UPDATE] [-r] [-d]\n\nCommand line utility to query related CVEs\n\noptions:\n -h, --help show this help message and exit\n -c CVE, --cve CVE Path to CVE db\n -p PRODUCT, --product PRODUCT\n Product name to query\n -v VERSION, --version VERSION\n Version of the product\n -u UPDATE, --update UPDATE\n Version update of the product\n -r, --raw Output raw data (no filters applied)\n -d, --debug Debug messages\n```\n\n```bash\npython extra/query.py -p \"gibbon\" -v \"25.0.0\"\n\nExact match:\n+----------------+--------+--------+-----------+---------+---------+----------+-----+-----+\n| CVE | CVSSv2 | CVSSv3 | Vendor | Product | Version | V.Update | EDB | MSF |\n+================+========+========+===========+=========+=========+==========+=====+=====+\n| CVE-2023-34599 | | 6.1 | gibbonedu | gibbon | 25.0.00 | * | No | No |\n+----------------+--------+--------+-----------+---------+---------+----------+-----+-----+\n| CVE-2023-34598 | | 9.8 | gibbonedu | gibbon | 25.0.00 | * | No | No |\n+----------------+--------+--------+-----------+---------+---------+----------+-----+-----+\n\nMulti match:\n+----------------+--------+--------+-----------+---------+--------------+--------------+------------+------------+-----+-----+\n| CVE | CVSSv2 | CVSSv3 | Vendor | Product | StartInclude | StartExclude | EndInclude | EndExclude | EDB | MSF |\n+================+========+========+===========+=========+==============+==============+============+============+=====+=====+\n| CVE-2023-45881 | | 6.1 | gibbonedu | gibbon | | | 25.0.00 | | No | No |\n+----------------+--------+--------+-----------+---------+--------------+--------------+------------+------------+-----+-----+\n| CVE-2023-45878 | | 9.8 | gibbonedu | gibbon | | | 25.0.01 | | No | No |\n+----------------+--------+--------+-----------+---------+--------------+--------------+------------+------------+-----+-----+\n| CVE-2023-45879 | | 5.4 | gibbonedu | gibbon | | | 25.0.00 | | No | No |\n+----------------+--------+--------+-----------+---------+--------------+--------------+------------+------------+-----+-----+\n| CVE-2023-45880 | | 7.2 | gibbonedu | gibbon | | | 25.0.00 | | No | No |\n+----------------+--------+--------+-----------+---------+--------------+--------------+------------+------------+-----+-----+\n```\n\n\n# Acknowledgements\n**This work has been supported by National R\u0026D Project TEC2017-84197-C4-1-R and by\nthe Comunidad de Madrid project CYNAMON P2018/TCS-4566 and co-financed by European\nStructural Funds (ESF and FEDER)**\n\n- Based on [alegr3/CVEscanner](https://github.com/alegr3/CVEscanner) script.\n\n- Common server regexes and paths from [vulnersCom/nmap-vulners](https://github.com/vulnersCom/nmap-vulners).\n\n- Modules cache generated from [rapid7/metasploit-framework](https://github.com/rapid7/metasploit-framework).\n \u003e Can be found in **~/.msf4/store/modules_metadata.json** after running **msfconsole**\n\n- CVE information gathered from [nvd.nist.gov](https://nvd.nist.gov).\n\n# License\n CVEScannerV2 Copyright (C) 2021-2025 Sergio Chica Manjarrez @ pervasive.it.uc3m.es.\n Universidad Carlos III de Madrid.\n This program comes with ABSOLUTELY NO WARRANTY; for details check below.\n This is free software, and you are welcome to redistribute it\n under certain conditions; check below for details.\n\n[LICENSE](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscmanjarrez%2FCVEScannerV2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscmanjarrez%2FCVEScannerV2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscmanjarrez%2FCVEScannerV2/lists"}