Open engn33r opened 3 years ago
GrrrDog
commented
3 years ago Hi @engn33r ! You have created a nice list of CVEs. I'll definitely do something with it. I am still thinking how to incorporate it in a better way... A couple of questions about your list: 1) are you going to maintain/update it? 2) do you collect CVEs automatically? If yes, could you also add a column with CPE of affected software?
engn33r
commented
3 years ago Thanks! To answer your questions:
I was also trying to think how to make this list useful, but I think the organization of your cheat sheet adds more details than I placed in the CVE list, so maybe it will take too much effort to combine the lists together. But maybe you will think of a good solution.
engn33r
commented
3 years ago I don't know if this helps, but I was testing the NVD CVE API recently and the following bash 1-liner should list the CPEs associated with a file of CVEs:
while read -r CVE; do curl "https://services.nvd.nist.gov/rest/json/cve/1.0/$CVE" | jq '.result.CVE_Items[].configurations.nodes[].cpe_match[].cpe23Uri'; done < cves.txt
GrrrDog
commented
3 years ago It will help. Thanks :)
I recently compiled a very large list of Java Deserialization CVEs (which are located at this repo https://github.com/PalindromeLabs/Java-Deserialization-CVEs) and I thought you might be interested in incorporating the list or parts of the list into this cheat sheet. Maybe you would prefer to keep the cheat list as it is, maybe you want to just add a link to this list if anyone wants a more comprehensive CVE list, or maybe you would prefer the notable/important CVEs be added individually to this cheat sheet with descriptions. If you have a preference for one of these options, let me know if I can help incorporate this CVE info into this excellent cheat sheet repo.