|
|||||
Tips for searching the CVE List hosted on this website are included below.
Other free CVE List search resources are also available.
As part of it’s enhanced CVE List content, the U.S. National Vulnerability Database (NVD) provides advanced searching features such as by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.
Searching the CVE List provides you with an individual CVE Record and/or a list of all CVE Records.
If you know the CVE ID number for a problem, search by the number to find its description.
Use a keyword to search the CVE List to find the official CVE Record for a known vulnerability.
You must use very specific keywords, such as an application name, when searching the CVE List. For example: Sendmail, wu-ftp, ToolTalk, ps, etc.
CVE is not designed like a vulnerability database, so searches for general terms like "Unix" or "buffer overflow" could give you incomplete or inaccurate results.
You can search by multiple keywords if the multiple keywords are separated by a space. Your results will include CVE Records that match all specified keywords. Remember to use very specific keywords and to avoid overly general keywords.
CVE List search was designed to help identify specific vulnerabilities and exposures, and not to find sets of problems that share common attributes such as operating systems. Therefore, you should not search CVE by operating system because your results will be incomplete.
Occasionally, you may get back two or more records when performing a search for a given security problem. When this occurs, it is because not enough details about the problem were originally provided, because the description includes unique details that you may not be familiar with, or because of an error in the description itself. While the description for a CVE Record should be able to uniquely identify a vulnerability or exposure, the descriptions are intentionally brief, and in some instances you may need to rely on the accompanying references to make a determination. In addition to referring to the references, you could also search through CVE-compatible sites by specifying the CVE Records that you are uncertain about.
Such information can already be found in numerous vulnerability databases and security tool databases. CVE doesn’t have this information because CVE is intended to link these databases, not to replace them.
Other organizations also offer free search resources for the CVE List.
Because the CVE Program currently synchronizes the CVE List with a GitHub repository, all of GitHub’s search features can be used. Their documentation is available here:
https://help.github.com/en/articles/searching-code
https://help.github.com/en/articles/understanding-the-search-syntax
Please note that you must be signed into a GitHub user account; otherwise, the search capabilities are very limited and are unlikely to help you in discovering CVE Records.
In general, you should use the “GitHub Advanced Search” page and search only the CVEProject/cvelist repository.
EXAMPLE 1:
A person wishes to discover CVE Records related to WordPress, but exclude WordPress plugins and themes.
EXAMPLE 2:
A person wishes to discover CVE Records related to use of Apple’s iOS operating system, and exclude Cisco’s IOS operating system.
CIRCL also offers CVE search services, including a local search that requires a local installation of the MongoDB software. See:
https://www.circl.lu/services/cve-search/
https://www.cve-search.org/