Exploit for CVE-Hunter

Name: Exploit for CVE-Hunter
Rating: 5 (7 reviews)
2026-06-16 | CVSS 5.5
## https://sploitus.com/exploit?id=177A7C8F-38E9-556F-939A-49C2E55CF966
Turn an Nmap scan into the CVEs that actually affect the versions you found —
  not every CVE that merely mentions the product.



  
  
  
  
  



  Install ·
  Quick start ·
  How it works ·
  Confidence ·
  Limitations



  


---

Most "Nmap → CVE" tools search by product name and dump everything. **CVE-Mapper is
version-aware**: for each discovered service it asks [Vulners](https://vulners.com)
which CVEs match the exact product *and* version, then **independently re-validates
every affected range** with its own comparator before reporting it. Every result
carries a confidence level and a plain-English reason — including why something was
rejected.

> **For authorised assessment only.** CVE-Mapper identifies, scores, and links exploit
> availability. It never exploits anything and emits no exploit code.

## Why

- **Version-accurate.** Understands semantic, partial, OpenSSH `7.2p2`, Debian/Ubuntu,
  RHEL, epoch, pre-release and Tomcat-milestone versions.
- **Conservative by design.** `Apache httpd` ≠ `Apache Tomcat`; backported distro
  packages and coarse versions are downgraded, never blindly confirmed.
- **Evidence-backed.** Each finding states the affected range and the reason for its
  verdict.
- **Vulners-only intel**, via the official SDK (clears Cloudflare) with a raw-HTTP
  fallback — plus caching, retries and rate-limit handling.
- **Outputs** to terminal, JSON, CSV and self-contained HTML.

## Install

```bash
pip install -e .            # installs the cve-mapper command + the vulners SDK
export VULNERS_API_KEY=…    # get a key at https://vulners.com
```

> Python 3.9+. The official **`vulners` SDK is installed automatically** and is
> required for live queries — Vulners' API is behind Cloudflare, which blocks plain
> HTTP clients. `requests` powers the raw-HTTP fallback (and degrades to the stdlib if
> absent).

## Quick start

```bash
# 1 — scan with service/version detection
nmap -sV -sC -oX scan.xml 

# 2 — map the discovered versions to CVEs
cve-mapper --input scan.xml --min-cvss 7.0 --only-exploitable
```

## Usage

```text
cve-mapper --input scan.xml [options]
```

| Flag | Purpose |
| --- | --- |
| `--input` / `--input-dir` | A single Nmap report, or a directory to scan recursively |
| `--json-output` / `--csv-output` / `--html-output` | Write machine-readable / spreadsheet / shareable reports |
| `--min-cvss 7.0` | Keep CVEs at or above a CVSS score |
| `--only-exploitable` | Keep only CVEs with a public exploit per Vulners |
| `--severity` · `--year-from` · `--year-to` | Filter by severity or CVE year |
| `--confidence Confirmed,Likely` | Keep only chosen confidence levels |
| `--strict` | Require CPE-grade evidence to mark a finding *Confirmed* |
| `--confidence-threshold high` | Cap low-trust Nmap detections at *Needs manual verification* |
| `--vulners-api-key` · `--no-cache` · `--debug` | Auth, cache and diagnostics |

Run `cve-mapper --help` for the full list.

## How it works

```
Nmap XML ─▶ normalize service ─▶ query Vulners (CPE + version) ─▶ re-validate range ─▶ grade
```

For every `(service, CVE)` pair CVE-Mapper checks **product identity** (rejecting
look-alikes and unrelated vendors), **version** (is the detected version provably in
the affected range?) and **platform** (OS compatibility) before assigning a verdict.

### Confidence levels

| Level | Meaning |
| --- | --- |
| **Confirmed** | Strong identity, specific version provably in range, compatible platform |
| **Likely** | In range, but a caveat applies (e.g. a backported distro package) |
| **Possible** | In range, but identity is weaker or the sub-version is ambiguous |
| **Needs manual verification** | Identity matches but the range can't be compared reliably |
| **Rejected** | Product mismatch, version out of range, or platform conflict |

## Output formats

`--json-output` (full structured schema), `--csv-output` (one row per finding,
spreadsheet-safe), `--html-output` (self-contained, escaped) and a coloured terminal
report by default.

## Testing

```bash
pip install pytest && pytest        # 127 offline tests — Vulners is fully mocked
VULNERS_API_KEY=… pytest            # also runs an opt-in live smoke test
```

## Troubleshooting

**`HTTP 403` / “Vulners rejected the request”** — this is almost always Cloudflare bot
protection, **not** a bad API key. It means the `vulners` SDK isn't available, so the
tool fell back to the raw-HTTP backend. Fix it with:

```bash
pip install vulners
```

The SDK clears Vulners' Cloudflare challenge; the raw-HTTP backend cannot.

## Limitations

- Findings are **leads, not proof** — always confirm before acting; the reason field
  explains each verdict.
- Accuracy depends on Nmap's `-sV` banner; use `--confidence-threshold` for weak
  detections.
- Backported fixes keep the upstream version, so distro packages surface as *Likely* /
  *Needs manual verification* — check the distro security tracker.
- When a CVE's metadata is incomplete, CVE-Mapper errs toward **fewer false positives**
  at the cost of the occasional false negative.

## License

[MIT](LICENSE).