There is a long-awaited feature released in Kenna VM (Aug 18) where 8 new query search terms are added to allow searching based on CVSS v2 or v3.
- cvss_v2_score
- cvss_v2_exploit_subscore
- cvss_v2_impact_subscore
- cvss_v2_temporal_score
- cvss_v3_score
- cvss_v3_exploit_subscore
- cvss_v3_impact_subscore
- cvss_v3_temporal_score
cvss_v2_score:>=7 AND cvss_v3_score:>=7
However, the syntax above will produce a blind
spot in querying any CVE released before 2015 or after 2022-08, which
may only contain either CVSS v2 or CVSS v3 score. For example, cve-2013-3900, which contains only CVSS v2 7.6 (without CVSS v3), is not covered by syntax above.
There are 4 groups of vulnerabilities in Kenna.
| CVSS v2 | CVSS v3 | Kenna Syntax |
|---|---|---|
| No | No | -cvss_v2_score:"*" AND -cvss_v3_score:"*" |
| Yes | No | cvss_v2_score:"*" AND -cvss_v3_score:"*" |
| No | Yes | -cvss_v2_score:"*" AND cvss_v3_score:"*" |
| Yes | Yes | cvss_v2_score:"*" AND cvss_v3_score:"*" |
Supposedly the syntax should be [ cvss_v2_score:>=7 OR cvss_v3_score:>=7 ]. But this is prohibited in Kenna syntax format.
One of the possible solution to search any CVE with high CVSS score could be:
cvss_v2_score:>=7 AND -cvss_v3_score:<7
Links: