search

vulnersCom / nmap-vulners

NSE script based on Vulners.com API
GNU General Public License v3.0
3.2k stars 547 forks source link

It seems the argument mincvss not working anymore #43

Closed RobbeR closed 3 years ago

RobbeR commented 3 years ago

Dear Devs,

I use this script since last year, and it worked like a charm until now. Now it seems the mincvss argument not working anymore. Here's my nmap call:

nmap -sV --script /path/to/vulners/vulners.nse --script-args mincvss=8 {TARGET_IP}

It gives me the following output (sample): 

...
80/tcp  open   http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18
| vulners: 
|   cpe:/a:apache:http_server:2.4.18: 
|       EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    7.2 https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    *EXPLOIT*
|       1337DAY-ID-32502    7.2 https://vulners.com/zdt/1337DAY-ID-32502    *EXPLOIT*
|       EDB-ID:47689    5.8 https://vulners.com/exploitdb/EDB-ID:47689  *EXPLOIT*
...

As you can see, I got exploits with 7.2 and lower CVS score, but I would like to get reports exploits over 8.0 CVSS only. It worked before, but something has changed a few weeks ago.

Can you help me what did I wrong?

Thanks, RobbeR

mavzerburak0 commented 3 years ago

Hi,

I know this issue is a little dated but I came across the same problem as well and started digging around the script to find out what might cause this. Basically, there is this if block in the vulners.nse script:

if v.is_exploit or (v.cvss and mincvss <= v.cvss) then
    setmetatable(v, cve_meta)
    output[#output+1] = v
end

The problem is in the if statement where it says "if v.is_exploit", this effectively overrides mincvss argument that you pass while running nmap with vulners script. The reason is that they probably don't want you to miss any exploitable vulnerabilities, which is quite understandable. However, if you can find where vulners.nse is located on your machine (/path/to/nmap/scripts/vulners.nse for Linux/MacOS machines) and modify this if block in the following way, it should solve the issue:

if v.cvss and mincvss <= v.cvss then
    setmetatable(v, cve_meta)
    output[#output+1] = v
end

Hope this helps.

Cheers, Burak

RobbeR commented 3 years ago

Dear @mavzerburak0 , I added this "patch" to my vulners.nse, and it works much better now. Thank you for your help!