# Vulnerability-Lookup Workshop

This workshop introduces Vulnerability-Lookup, a comprehensive vulnerability intelligence service for security research and threat assessment. Vulnerability-Lookup provides detailed information about CVEs, vulnerability sightings, and product-specific vulnerability data.

## What is Vulnerability-Lookup?

Vulnerability-Lookup is a public API service that provides comprehensive vulnerability intelligence and tracking capabilities. It aggregates CVE data from multiple sources and tracks real-world exploitation through sighting data. The service offers both historical vulnerability information and current threat intelligence to help security professionals prioritize remediation efforts and understand active attack landscapes.

## Key Features

### Vulnerability-Lookup Capabilities:
- **CVE Database Access**: Complete Common Vulnerabilities and Exposures records with metadata
- **Sighting Intelligence**: Real-world exploitation tracking and vulnerability observations
- **CPE-Based Queries**: Search vulnerabilities by specific products using Common Platform Enumeration
- **Temporal Analysis**: Historical vulnerability trends and time-based filtering
- **Vendor Intelligence**: Product portfolios and vendor-specific vulnerability analysis
- **Statistical Analytics**: Most sighted vulnerabilities and exploitation frequency metrics
- **API Integration**: RESTful API with Python library for automation and integration

## Data Sources

Vulnerability-Lookup aggregates data from multiple authoritative sources:
- **CVE Program**: Official CVE records from MITRE Corporation and National Vulnerability Database
- **Vendor Security Advisories**: Direct feeds from software and hardware manufacturers
- **Threat Intelligence Networks**: Exploitation data from security research organizations
- **Honeypot Systems**: Attack observation data from deception technologies
- **Security Community**: Crowdsourced vulnerability sighting reports and research findings

## Documentation

- **Main Service**: https://www.vulnerability-lookup.org/documentation/
- **Python library**: https://github.com/vulnerability-lookup/PyVulnerabilityLookup
- **API Documentation**: https://vulnerability.circl.lu/api/

### Use Cases:
- **Vulnerability Management**: Prioritize patching based on exploitation activity and threat intelligence
- **Threat Hunting**: Search for indicators of active exploitation campaigns in organizational environments
- **Risk Assessment**: Evaluate security exposure for specific products, vendors, and technology stacks
- **Incident Response**: Quickly assess vulnerability context during security investigations
- **Security Research**: Analyze vulnerability patterns, exploitation trends, and threat actor techniques

## Learning Objectives

By completing this workshop, you will learn to:
- Query recent CVE publications and analyze vulnerability disclosure trends
- Search for product-specific vulnerabilities using CPE identifiers and vendor analysis
- Track real-world vulnerability exploitation through comprehensive sighting data
- Correlate vulnerability intelligence across multiple data sources and time periods
- Build automated vulnerability monitoring workflows using the Python API
- Generate actionable threat intelligence reports for security operations and risk management

## Exercises

In [None]:
from pyvulnerabilitylookup import PyVulnerabilityLookup

# Configure HTTP sessions for API communication
print("Configuring API client for VulnerabilityLookup...")

# VulnerabilityLookup session configuration
vulnerability_lookup = PyVulnerabilityLookup()

print("API client configured successfully!")
print("Ready to query VulnerabilityLookup service.")

Configuring API client for VulnerabilityLookup...
API client configured successfully!
Ready to query VulnerabilityLookup service.


### Exercise 1.0: Get Latest CVE Publications

**Objective:** Retrieve and analyze the most recently published Common Vulnerabilities and Exposures (CVE) records to understand current vulnerability disclosure activity.

This exercise demonstrates how to query the latest CVE publications from the vulnerability database. The results provide insights into recent vulnerability disclosures, helping security teams stay informed about newly identified security issues that may affect their environments. The data includes CVE identifiers, publication dates, and metadata that can be used for immediate threat assessment and proactive security planning.

**API Endpoint:** `https://vulnerability.circl.lu/api/vulnerability/last`

In [59]:
vulns = vulnerability_lookup.get_last()

print("CVE ID \t\t Date Published")
for vuln in vulns:
    if "dataType" in vuln and vuln['dataType'] == 'CVE_RECORD' and "cveMetadata" in vuln:
        print(f"{vuln['cveMetadata']['cveId']} \t {vuln['cveMetadata']['datePublished']}")

CVE ID 		 Date Published
CVE-2011-10040 	 2025-10-30T21:55:55.168Z
CVE-2025-10955 	 2025-11-06T14:46:09.596Z
CVE-2019-16278 	 2019-10-14T16:06:03.000Z
CVE-2011-10039 	 2025-10-30T21:48:44.152Z
CVE-2023-41064 	 2023-09-07T17:30:10.904Z
CVE-2025-43300 	 2025-08-21T00:27:21.442Z
CVE-2025-48384 	 2025-07-08T18:23:48.710Z
CVE-2025-6558 	 2025-07-15T18:12:36.848Z
CVE-2025-11956 	 2025-11-06T14:51:51.292Z
CVE-2025-20362 	 2025-09-25T16:12:35.916Z
CVE-2021-34527 	 2021-07-02T21:25:11.000Z
CVE-2023-4911 	 2023-10-03T17:25:08.434Z
CVE-2021-3560 	 2022-02-16T00:00:00.000Z
CVE-2022-0847 	 2022-03-07T00:00:00.000Z
CVE-2022-0185 	 2022-02-11T17:40:57.000Z
CVE-2021-4034 	 2022-01-28T00:00:00.000Z


### Exercise 1.1: Get Recent CVE Publications with Filtering

**Objective:** Demonstrate advanced querying capabilities with temporal filtering and result limiting for focused vulnerability analysis.

This exercise shows how to retrieve a specific number of recent CVE records from a particular data source within a defined time period. By applying filters for date ranges, data sources, and result limits, security analysts can focus their analysis on relevant vulnerability data without being overwhelmed by the complete dataset. This approach is particularly useful for generating weekly or monthly vulnerability reports and tracking disclosure patterns.

**API Endpoint:** `https://vulnerability.circl.lu/api/vulnerability`

In [60]:
from datetime import datetime

vulns = vulnerability_lookup.get_recent(
    date_from=datetime(2025, 1, 1), source="cvelistv5", number=10
)

print("CVE ID \t\t Date Published")
for vuln in vulns:
    if (
        "dataType" in vuln
        and vuln["dataType"] == "CVE_RECORD"
        and "cveMetadata" in vuln
    ):
        print(f"{vuln['cveMetadata']['cveId']} \t {vuln['cveMetadata']['datePublished']}")

CVE ID 		 Date Published
CVE-2025-10955 	 2025-11-06T14:46:09.596Z
CVE-2025-11956 	 2025-11-06T14:51:51.292Z
CVE-2025-12360 	 2025-11-06T07:27:05.431Z
CVE-2025-11268 	 2025-11-06T08:26:27.860Z
CVE-2025-37729 	 2025-10-13T13:47:08.907Z
CVE-2025-37735 	 2025-11-06T14:27:26.235Z
CVE-2025-43496 	 2025-11-04T01:16:40.410Z
CVE-2025-43450 	 2025-11-04T01:17:36.172Z
CVE-2025-43503 	 2025-11-04T01:17:38.232Z
CVE-2025-43493 	 2025-11-04T01:17:45.738Z


### Exercise 1.2: Product-Specific Vulnerability Analysis Using CPE

**Objective:** Learn to search for vulnerabilities affecting specific products using Common Platform Enumeration (CPE) identifiers for targeted risk assessment.

This exercise demonstrates how to retrieve all known vulnerabilities for a specific product using its CPE identifier. CPE provides a standardized way to identify IT products and platforms, enabling consistent vulnerability tracking across different security tools. By analyzing product-specific vulnerabilities, security teams can assess the risk exposure of deployed technologies and prioritize patching efforts based on their actual technology stack.

**API Endpoints:** 
- `https://vulnerability.circl.lu/api/vulnerability`
- `https://vulnerability.circl.lu/api/vulnerability/cpesearch/[cpe]`

In [61]:
ms_exchange_cpe = "cpe:2.3:a:microsoft:exchange_server"
vulns = vulnerability_lookup.get_vulnerabilities_by_cpe(ms_exchange_cpe)

print("CVE ID \t\t Date Published")
for vuln in vulns['cvelistv5']:
    if vuln['dataType'] == 'CVE_RECORD' and "cveMetadata" in vuln:
        print(f"{vuln['cveMetadata']['cveId']} \t {vuln['cveMetadata']['datePublished']}")

CVE ID 		 Date Published
CVE-2025-59248 	 2025-10-14T17:01:42.916Z
CVE-2025-59249 	 2025-10-14T17:00:42.051Z
CVE-2025-53782 	 2025-10-14T17:00:08.402Z
CVE-2025-25006 	 2025-08-12T17:09:53.262Z
CVE-2025-25007 	 2025-08-12T17:09:53.981Z
CVE-2025-25005 	 2025-08-12T17:09:52.756Z
CVE-2025-33051 	 2025-08-12T17:09:45.207Z
CVE-2023-36777 	 2023-09-12T16:58:41.822Z
CVE-2023-36744 	 2023-09-12T16:58:32.372Z
CVE-2023-36756 	 2023-09-12T16:58:31.333Z
CVE-2023-36745 	 2023-09-12T16:58:31.857Z
CVE-2023-36757 	 2023-09-12T16:58:30.805Z
CVE-2017-8540 	 2017-05-26T20:00:00.000Z
CVE-2018-8581 	 2018-11-14T01:00:00.000Z
CVE-2020-0688 	 2020-02-11T21:22:59.000Z
CVE-2020-17144 	 2020-12-09T23:36:55.000Z
CVE-2021-26855 	 2021-03-02T23:55:26.000Z
CVE-2021-26857 	 2021-03-02T23:55:26.000Z
CVE-2021-27065 	 2021-03-02T23:55:28.000Z
CVE-2021-26858 	 2021-03-02T23:55:27.000Z
CVE-2021-31207 	 2021-05-11T19:11:41.000Z
CVE-2021-31196 	 2021-07-14T17:53:12.000Z
CVE-2021-33766 	 2021-07-14T17:53:40.000Z
CVE-2021-344

### Exercise 1.3: Vendor Product Discovery and Portfolio Analysis

**Objective:** Explore vendor-specific product portfolios to understand the complete range of products and their associated vulnerability landscapes.

This exercise shows how to enumerate all products from a specific vendor, providing a comprehensive view of their product portfolio. Understanding a vendor's complete product range helps security teams identify all potentially vulnerable components in their environment, assess vendor security practices, and make informed decisions about technology adoption. This information is particularly valuable for supply chain risk assessment and vendor security evaluation processes.

**API Endpoint:** `https://vulnerability.circl.lu/api/vulnerability/vendor/[vendor]`

In [62]:
vendor = "gitlab"
products = vulnerability_lookup.get_vendor_products(vendor)

for product in products:
    print(product)

gitlab_runner
language_server
gitlab community and enterprise editions
gitlab-shell
dynamic_application_security_testing_analyzer
runner
gitlab ee
dast api scanner
gitlab community edition and gitlab enterprise edition
dast
gitaly
gitlab
gitlab-vscode-extension
gitlab community edition (ce) et gitlab enterprise edition (ee)
gitlab enterprise edition
gitlab ce/ee
gitlab runner
n/a
gitlab language server
gitlab vscode fork
dast_api_scanner
gitlab pages
omnibus
gitlab community edition
gitlab dast api scanner


### Exercise 1.4: Vulnerability Sighting Trend Analysis

**Objective:** Analyze the most frequently sighted vulnerabilities to understand active threat landscapes and prioritize security responses based on real-world exploitation data.

This exercise demonstrates how to identify vulnerabilities that are being actively observed in security monitoring systems, honeypots, and threat intelligence networks. Sighting data represents real-world observations of vulnerability exploitation attempts, providing crucial intelligence for risk prioritization. By focusing on the most sighted vulnerabilities, security teams can align their defensive efforts with actual threat activity rather than theoretical risk scores alone.

**API Endpoint:** `/stats/vulnerability/most_sighted`

In [64]:
vulns = vulnerability_lookup.most_sighted_vulnerabilities(date_from=datetime(2025, 1, 1), date_to=datetime(2025, 12, 31))
print("CVE ID \t\t Sightings count")
for vuln in vulns:
    print(f"{vuln['vulnerability']} \t {vuln['count']}")

CVE ID 		 Sightings count
cve-2015-2051 	 613
cve-2017-18368 	 603
cve-2018-10562 	 525
cve-2025-53770 	 505
cve-2025-5777 	 496
cve-2025-31324 	 472
cve-2025-0108 	 416
cve-2021-44228 	 392
cve-2023-20198 	 390
cve-2017-17215 	 387


### Exercise 1.5: Recent Exploitation Activity Monitoring

**Objective:** Monitor real-time exploitation activity through recent sighting data to identify immediate security threats and emerging attack patterns.

This exercise focuses on analyzing exploitation sightings from the past week to identify currently active threats. By filtering for "exploited" sightings and aggregating the data by vulnerability, security analysts can quickly identify which CVEs are being actively targeted by attackers. This real-time intelligence is crucial for immediate threat response, emergency patching decisions, and tactical security operations.

**API Endpoint:** `https://vulnerability.circl.lu/api/vulnerability/sighting`

In [65]:
from datetime import datetime, timedelta
delta = datetime.now() - timedelta(weeks=1)

result = vulnerability_lookup.get_sightings(date_from=delta, sighting_type='exploited')

vulnerabilities = {}

for sighting in result['data']:
    vuln_id = sighting.get('vulnerability')
    if vuln_id:
        vulnerabilities[vuln_id] = vulnerabilities.get(vuln_id, 0) + 1

vulnerabilities = dict(sorted(vulnerabilities.items(), key=lambda item: item[1], reverse=True))

print("Vulnerability ID \t Sightings in last week")
for vuln_id, count in vulnerabilities.items():
    print(f"{vuln_id} \t\t {count}")

Vulnerability ID 	 Sightings in last week
CVE-2019-16920 		 7
CVE-2021-24931 		 7
CVE-2023-22527 		 7
CVE-2023-46805 		 7
CVE-2021-34473 		 7
CVE-2022-24990 		 7
CVE-2020-5902 		 7
CVE-2024-3400 		 7
CVE-2025-61882 		 7
CVE-2021-22986 		 7
CVE-2018-11759 		 7
CVE-2020-9054 		 7
CVE-2024-53704 		 7
CVE-2021-35587 		 7
CVE-2019-9978 		 7
CVE-2021-44228 		 7
CVE-2017-17215 		 7
CVE-2023-20198 		 7
CVE-2016-10372 		 7
CVE-2018-10562 		 7
CVE-2014-8361 		 7
CVE-2022-22274 		 7
CVE-2023-0656 		 7
CVE-2017-9841 		 7
CVE-2021-42013 		 7
CVE-2023-38646 		 7
CVE-2015-2051 		 7
CVE-2016-6277 		 7
CVE-2019-1653 		 7
CVE-2019-12780 		 7
CVE-2025-5777 		 7
CVE-2021-40438 		 7
CVE-2020-3452 		 7
CVE-2021-26855 		 7
CVE-2024-0012 		 7
CVE-2025-0108 		 7
CVE-2018-1217 		 7
CVE-2018-6530 		 7
CVE-2016-1555 		 7
CVE-2021-36380 		 7
CVE-2022-24816 		 7
CVE-2020-5847 		 7
CVE-2020-8191 		 7
CVE-2020-15505 		 7
CVE-2021-22502 		 7
CVE-2021-31755 		 7
CVE-2020-17496 		 7
CVE-2024-24919 		 7
CVE-2020-25506 		

### Homework - Top 5 "Exploited" CVEs for a Chosen Product CPE

Find the top 5 "exploited" CVEs for a chosen product CPE in the last 90 days.

**Objective:** Combine vendor/product lookup, CPE-based vulnerability retrieval and sighting data to produce a ranked list of most-seen exploited CVEs.

Tasks:
- Pick a CPE string (or find a product with `get_vendor_products()` and derive a CPE).
- Use `get_vulnerabilities_by_cpe(cpe)` to retrieve CVE records for that CPE.
- Query sightings for the last 90 days with `get_sightings(date_from=..., sighting_type='exploited')`.
- Count how many times each CVE from the CPE results appears in the sightings.
- Print the top 5 CVEs with their sighting counts and published dates (from `cveMetadata`).

Hints:
- Use `datetime` and `timedelta(days=90)` to compute `date_from`.
- Aggregate sightings into a dictionary, then sort by count descending.
- For each top CVE, look up `cveMetadata['datePublished']` in the vulnerability records.

Expected output (example format):
CVE-ID — Sightings: N — Published: YYYY-MM-DD

In [None]:

# Your code here...
