Skip to content

innocentito/map-cve

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 
nvd-cve.nse
nvd-cve.nse
 
 
uninstall.sh
uninstall.sh
 
 

Repository files navigation

nmap-cve

A small NSE script that pulls CVEs from the NVD for the services nmap finds.

nmap -sV --script nvd-cve scanme.nmap.org

Output appears inline under each port in the normal nmap format:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7
| nvd-cve:
|   5 of 23 vulnerabilities found for Apache httpd 2.4.7
|
|   [HIGH 8.2] CVE-2021-44224
|     A crafted URI sent to httpd configured as a forward proxy...
|     -> https://nvd.nist.gov/vuln/detail/CVE-2021-44224
|
|   [MEDIUM 6.5] CVE-2021-40438
|_    A crafted request uri-path can cause mod_proxy to forward...

Install

git clone https://github.com/innocentito/nmap-cve.git
cd nmap-cve
./install.sh

The installer drops nvd-cve.nse into nmap's scripts directory. It derives the location from which nmap (handles Homebrew, /usr/local, /usr, custom prefixes); if nothing writable is found it falls back to ~/.nmap/scripts/.

No Python, no shell function, no rc-file edits, no dependencies beyond nmap itself.

Options

# Override CVE cap (default 5 per service)
nmap -sV --script nvd-cve --script-args nvd-cve.limit=10 <target>

# Pass an API key inline (alternative to NVD_API_KEY env var)
nmap -sV --script nvd-cve --script-args nvd-cve.api-key=<key> <target>

# Enable debug output to see why NVD requests fail (rate limit, auth, etc.)
nmap -d -sV --script nvd-cve <target>

NVD API key (optional but recommended)

Without a key, NVD allows 5 requests per 30 seconds. With a key, 50/30s.

Grab one free: https://nvd.nist.gov/developers/request-an-api-key

export NVD_API_KEY="your-key-here"

Or pass it per-scan with --script-args nvd-cve.api-key=....

How it works

  1. portrule fires for any port with version detection (-sV)
  2. The script reads port.version.product / version / cpe
  3. If a CPE is present, queries NVD with virtualMatchString (precise prefix match)
  4. Otherwise falls back to keyword search product+version
  5. Sorts results by CVSS score, caps at 5 per service
  6. Rate limiting uses a sliding window shared across all script instances via nmap.registry
  7. Response caching dedupes identical queries — if 50 hosts run Apache 2.4.7, NVD is hit once

Why not just use --script vulners?

vulners.nse ships with nmap and does a similar job, but queries vulners.com (third-party, requires their service). This script talks to NVD directly (official, free, no account) and falls back to keyword search when CPE is missing.

Uninstall

./uninstall.sh

Removes the NSE script from all known nmap script directories. Also cleans up the legacy shell-wrapper install (~/.nmap-cve/ and the rc-file function) if you upgraded from an earlier version.

Files

nmap-cve/
├── nvd-cve.nse    the script
├── install.sh
├── uninstall.sh
└── README.md

About

Nmap NSE script that pulls CVEs from the NVD for detected services

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages