Assistance with Querying CVEs in Elasticsearch

Youi · September 24, 2024, 2:43am

Hello everyone,

I hope this message finds you well. I am fairly new to Elasticsearch and I am encountering some difficulties with querying.

On a computer with MariaDB 10.11.1 installed, the CPE ID is as follows:
cpe:2.3:a:mariadb:mariadb:10.11.1:::::::*
How can I query the CVE database using this given CPE ID? I want to find out that MariaDB 10.11.1 has CVE-2022-47015.

Despite trying various query methods such as wildcard, term, and match queries, I haven't been able to achieve the correct results.

Could anyone please advise on how to properly query the right CVE using a CPE ID?

Thank you in advance for your help!

In the "nvd_cves" index, there are numerous CVE documents, each identified by a CVE number as the "id."
In the configuration section of these documents, the affected software and hardware are listed using their corresponding CPE IDs.

**CVE-2022-47015 doc**
{
  "took": 1,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1,
      "relation": "eq"
    },
    "max_score": 1,
    "hits": [
      {
        "_index": "nvd_cves",
        "_id": "CVE-2022-47015",
        "_score": 1,
        "_source": {
          "cve": {
            "id": "CVE-2022-47015",
            "sourceIdentifier": "cve@mitre.org",
            "published": "2023-01-20T19:15:17.443",
            "lastModified": "2024-06-06T19:45:52.907",
            "vulnStatus": "Analyzed",
            "cveTags": [],
            "descriptions": [
              {
                "lang": "en",
                "value": "MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer."
              },
              {
                "lang": "es",
                "value": "MariaDB Server anterior a 10.3.34 hasta 10.9.3 es vulnerable a la denegación de servicio. Es posible que la función spider_db_mbase::print_warnings elimine la referencia a un puntero null."
              }
            ],
            "metrics": {
              "cvssMetricV31": [
                {
                  "source": "nvd@nist.gov",
                  "type": "Primary",
                  "cvssData": {
                    "version": "3.1",
                    "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                    "attackVector": "NETWORK",
                    "attackComplexity": "LOW",
                    "privilegesRequired": "LOW",
                    "userInteraction": "NONE",
                    "scope": "UNCHANGED",
                    "confidentialityImpact": "NONE",
                    "integrityImpact": "NONE",
                    "availabilityImpact": "HIGH",
                    "baseScore": 6.5,
                    "baseSeverity": "MEDIUM"
                  },
                  "exploitabilityScore": 2.8,
                  "impactScore": 3.6
                }
              ]
            },
            "weaknesses": [
              {
                "source": "nvd@nist.gov",
                "type": "Primary",
                "description": [
                  {
                    "lang": "en",
                    "value": "CWE-476"
                  }
                ]
              }
            ],
            "configurations": [
              {
                "nodes": [
                  {
                    "operator": "OR",
                    "negate": false,
                    "cpeMatch": [
                      {
                        "vulnerable": true,
                        "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
                        "versionStartIncluding": "10.3.0",
                        "versionEndExcluding": "10.3.39",
                        "matchCriteriaId": "73B9E2B1-8409-466F-BB25-E170B8575FE0"
                      },
                      {
                        "vulnerable": true,
                        "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
                        "versionStartIncluding": "10.4.0",
                        "versionEndExcluding": "10.4.29",
                        "matchCriteriaId": "74BDE25F-E554-4044-92A9-9754344BD1E6"
                      },
                      {
                        "vulnerable": true,
                        "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
                        "versionStartIncluding": "10.5.0",
                        "versionEndExcluding": "10.5.20",
                        "matchCriteriaId": "241EBBC7-DA8C-4AAF-9FA1-CEA109CBC302"
                      },
                      {
                        "vulnerable": true,
                        "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
                        "versionStartIncluding": "10.6.0",
                        "versionEndExcluding": "10.6.13",
                        "matchCriteriaId": "C8DA6B06-28C2-4FD2-B17A-2082105E62B9"
                      },
                      {
                        "vulnerable": true,
                        "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
                        "versionStartIncluding": "10.8.0",
                        "versionEndExcluding": "10.8.8",
                        "matchCriteriaId": "0452672D-238A-427F-8B97-DE1A422112AD"
                      },
                      {
                        "vulnerable": true,
                        "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
                        "versionStartIncluding": "10.9.0",
                        "versionEndExcluding": "10.9.6",
                        "matchCriteriaId": "06CF2204-324A-48FE-B4C3-D8CE3F9D1B9D"
                      },
                      {
                        "vulnerable": true,
                        "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
                        "versionStartIncluding": "10.10.0",
                        "versionEndExcluding": "10.10.4",
                        "matchCriteriaId": "658EEEF9-02F9-44A8-98C7-AE886697268D"
                      },
                      {
                        "vulnerable": true,
                        "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
                        "versionStartIncluding": "10.11.0",
                        "versionEndExcluding": "10.11.3",
                        "matchCriteriaId": "786AA9E0-3E06-42AD-A963-A5C0DA90F9C2"
                      }
                    ]
                  }
                ]
              }
            ],
            "references": [OMIT URL]
          }
        }
      }
    ]
  }
}

Both wildcard and term found nothing

GET /nvd_cves/_search
{
  "query": {
    "wildcard": {
      "configurations.nodes.cpeMatch.criteria": {
        "value": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*"
      }
    }
  }
}

GET /nvd_cves/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "configurations.nodes.cpeMatch.criteria.keyword": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*"
          }
        }
      ]
    }
  }
}

Best regards,
YK

dadoonet · September 24, 2024, 11:26am

From Elastic Search to Elasticsearch

system · October 22, 2024, 11:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is it possible to search on the field name through wildcard? Elasticsearch	5	465	April 23, 2021
Vulnerability CVE-2020-13956 reported on Elasticsearch 7.17.4 Elasticsearch	5	342	July 18, 2022
Some vulnerabilities in Elasticsearch v7.10.0 Elasticsearch	3	516	December 10, 2021
CVE's in Elasticsearch Elasticsearch	2	208	July 31, 2022
CVE-2022-1471 Still Applicable in latest 7.* and 8. *, not listed on Security Issues Page Endpoint Security elastic-stack-security	4	877	October 12, 2023

Assistance with Querying CVEs in Elasticsearch

Related topics