This is a tool to facilitate the searching of CVEs on the NIST database1. The tool features an offline cache, output in long and short formats, and a limit on the number of results retrieved. The tool is written in Python 3.
The tool will print the reports in JSON or in a simplified format. JSON output makes it easy to later use it as input for another application or parse its content.
The tool can be used from the command-line by specifying the year(s) to query and the query string, for example:
:~$ echo "search for the first CVE in 2020 related to Citrix"
:~$ python3 tapir.py -s -y 2020 -c 1 CitrixUse -h or --help to obtain all the usage information:
:~$ python3 tapir.py -h
usage: tapir.py [-h] [-s] [-d] -y YEAR [-c COUNT] search
Search CVEs on NIST data
positional arguments:
search Search query, regex capable
options:
-h, --help show this help message and exit
-s, --short Print short version of each CVE entry
-d, --search-description
Search in CVE description too
-y YEAR, --year YEAR Year to look for. Examples: '2020' (single) or '2019,2020' (list) or '2010-2020' (range)
-c COUNT, --count COUNT
Number of results to displaySearch for 2020 CVEs (-y 2020) mentioning Citrix using -c 1 (count) to print only one report and -s to print a simplified version:
:~$ python3 tapir.py -s -y 2020 -c 1 Citrix
ID: CVE-2020-10110
DATE: 2020-03-06T21:15Z
IMPACT:
Base Score: 5.3
Severity: MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
DESC: ** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows Information Exposure Through Caching. NOTE: Citrix disputes this as not a vulnerability. There is no sensitive information disclosure through the cache headers on Citrix ADC. The "Via" header lists cache protocols and recipients between the start and end points for a request or a response. The "Age" header provides the age of the cached response in seconds. Both headers are commonly used for proxy cache and the information is not sensitive.Using jq we can get details of the reports we searched for, and print specific fields together, such as ID and Severity:
:~$ python3 tapir.py -y 2020 Citrix | jq -r '.[]|[.cve.CVE_data_meta.ID,(.impact.baseMetricV2|if .severity == null then "N/A" else .severity end)]|@tsv'
CVE-2020-10110 MEDIUM
CVE-2020-10111 MEDIUM
CVE-2020-10112 MEDIUM
CVE-2020-13884 HIGH
CVE-2020-13885 HIGH
...
CVE-2020-8982 MEDIUM
CVE-2020-8983 MEDIUMExpand the query to multiple years using lists, e.g.: 2011,2014,2016, or ranges, e.g.: 2015-2020.
:~$ python3 tapir.py -y 2018-2020 -s CitrixThe searches are regex capable. Using regular expressions can bring more results to your searches or be more specific:
:~$ python3 tapir.py -s -y 2020 'Citrix (XenMobile|Storefront) server' | grep DESC
DESC: Improper authentication in Citrix StoreFront Server < 1912.0.1000 allows an attacker who is authenticated on the same Microsoft Active Directory domain as a Citrix StoreFront server to read arbitrary files from that server.
DESC: Improper input validation in Citrix XenMobile Server 10.12 before RP1, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.11 before RP6 and Citrix XenMobile Server before 10.9 RP5 allows Cross-Site Scripting (XSS).
DESC: Improper access control in Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6 and Citrix XenMobile Server before 10.9 RP5 and leads to the ability to read arbitrary files.
DESC: Insufficient protection of secrets in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 discloses credentials of a service account.
DESC: Improper input validation in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows SQL Injection.
DESC: Improper access control in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows access to privileged functionality.
DESC: Improper authentication in Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6 and Citrix XenMobile Server before 10.9 RP5 leads to the ability to access sensitive files.Tapir has a public docker image with the latest version. To run Tapir using docker, use the following command:
:~$ docker run --rm --name tapir stratosphereips/tapir:latest bash -c "python3 tapir.py -y 2018 Citrix -c 1 -s"
ID: CVE-2018-10648
DATE: 2018-05-23T17:29Z
IMPACT:
Base Score: 9.8
Severity: CRITICAL
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
DESC: There are Unauthenticated File Upload Vulnerabilities in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.This project was developed at the Stratosphere Research Laboratory. Originally developed by researcher Lisandro Ubiedo (lisandro.ubiedo[at]gmail[dot]com).
