circl / cve-portal Goto Github PK
View Code? Open in Web Editor NEWCommon Vulnerabilities and Exposures - Portal
License: GNU Affero General Public License v3.0
Common Vulnerabilities and Exposures - Portal
License: GNU Affero General Public License v3.0
Hi,
it seems that https://www.circl.lu/services/cve-search/ doesn't include reserved CVE's.
What the rationales behind this decision?
Regards,
Cyrille
Scrolling in the dialog is not so attractive because the list is statically linked to the dialogue window.
Reproduce:
it is possible to send mail alert notification when high ranked cve (cve search) appear ?
Or notification portal is a portal who just make a notification in the web portal ?
thanks
When a user registers without PGP key and the user clicks in the account menu on "Change PGP" the error 500 is shown.
'Your informations' -> information is uncountable -> 'Your information'
Notifications -> Add -> no focus on first field
This should be 'Available CVEs'
input/output is not correctly sanitized.
There should be on and the same error page for 401 Unauthorized and 404 Not Found.
127.0.0.1 - - [08/Dec/2014:14:47:12 +0000] "GET /confirm/eyJhbGciOiJIUzI1NiIsImV4cCI6MTQxODA1MzYyMywiaWF0IjoxNDE4MDUwMDIzfQ.eyJjb25maXJtIjoyfQ.sZGLCFO7VEw_Z0do5wvEnkDZb4ejMpiXSyMpc0rTGn0 HTTP/1.1" 401 2285 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0"
Hello
I'm trying to figure out how to run cve-portal. It's installed on a VM with cve-search, which is up and running.
When I try to open cve-portal in a browser, I get the following error:
Internal Server Error
and the following in the terminal:
kkaneki@tokyo:~/cve-portal/app$ ./LAUNCH.sh
[2016-01-04 11:37:29 +0000] [2386] [INFO] Starting gunicorn 19.4.1
[2016-01-04 11:37:29 +0000] [2386] [INFO] Listening at: https://0.0.0.0:1443 (2386)
[2016-01-04 11:37:29 +0000] [2386] [INFO] Using worker: sync
[2016-01-04 11:37:29 +0000] [2391] [INFO] Booting worker with pid: 2391
[2016-01-04 11:37:29 +0000] [2392] [INFO] Booting worker with pid: 2392
[2016-01-04 11:37:29 +0000] [2395] [INFO] Booting worker with pid: 2395
[2016-01-04 11:37:29 +0000] [2396] [INFO] Booting worker with pid: 2396
/usr/local/lib/python2.7/dist-packages/flask_sqlalchemy/__init__.py:800: UserWarning: SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.
warnings.warn('SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.')
/usr/local/lib/python2.7/dist-packages/flask_sqlalchemy/__init__.py:800: UserWarning: SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.
warnings.warn('SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.')
/usr/local/lib/python2.7/dist-packages/flask_sqlalchemy/__init__.py:800: UserWarning: SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.
warnings.warn('SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.')
/usr/local/lib/python2.7/dist-packages/flask_sqlalchemy/__init__.py:800: UserWarning: SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.
warnings.warn('SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.')
[2016-01-04 11:37:57 +0000] [2392] [ERROR] Exception in worker process:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gunicorn/arbiter.py", line 515, in spawn_worker
worker.init_process()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/base.py", line 126, in init_process
self.run()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/sync.py", line 119, in run
self.run_for_one(timeout)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/sync.py", line 66, in run_for_one
self.accept(listener)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/sync.py", line 30, in accept
self.handle(listener, client, addr)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/sync.py", line 141, in handle
self.handle_error(req, client, addr, e)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/base.py", line 213, in handle_error
self.log.exception("Error handling request %s", req.uri)
AttributeError: 'NoneType' object has no attribute 'uri'
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gunicorn/arbiter.py", line 515, in spawn_worker
worker.init_process()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/base.py", line 126, in init_process
self.run()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/sync.py", line 119, in run
self.run_for_one(timeout)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/sync.py", line 66, in run_for_one
self.accept(listener)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/sync.py", line 30, in accept
self.handle(listener, client, addr)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/sync.py", line 141, in handle
self.handle_error(req, client, addr, e)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/workers/base.py", line 213, in handle_error
self.log.exception("Error handling request %s", req.uri)
AttributeError: 'NoneType' object has no attribute 'uri'
[2016-01-04 11:37:57 +0000] [2392] [INFO] Worker exiting (pid: 2392)
[2016-01-04 11:37:57 +0000] [2421] [INFO] Booting worker with pid: 2421
/usr/local/lib/python2.7/dist-packages/flask_sqlalchemy/__init__.py:800: UserWarning: SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.
warnings.warn('SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future. Set it to True to suppress this warning.')
Exception on / [GET]
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1473, in full_dispatch_request
rv = self.preprocess_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1666, in preprocess_request
rv = func()
File "/home/kkaneki/cve-portal/app/server.py", line 112, in before_request
if current_user.is_authenticated():
TypeError: 'bool' object is not callable
When a user registers and fills incorrect data in the field labeled "Name", the following error message is shown "Username must have only letters, numbers, dots or underscores." The word username should be substituted with the text "Name" to be consistent with the field labels.
LAUNCH.sh:
gunicorn -w 4 -b 0.0.0.0:1443 server:app --access-logfile - --error-logfile - --keyfile ../../CA/server.key --certfile ../../CA/server.crt --ca-certs ../../CA/chain.pem
run ./LAUNCH.sh
alert me :
create_sockets
raise ValueError('certfile "%s" does not exist' % conf.certfile)
ValueError: certfile "../../CA/server.crt" does not exist
The link to CIRCL should be https://
Add full-text flag in the table
Search button to remove for full-text
All json based action should be protected against CSRF. (specifically /delnotif)
Others forms seems to be protected with flask's built-in CSRF protection.
Output: in english lanaguage no whitespace before punctuation marks
Example (wrong): You have confirmed your account. Thanks !
Example (correct): You have confirmed your account. Thanks!
When adding an entry in full text search box and press add. There is no entry visible in the notification tab.
Hi,
I have an strange behavior:
I saw it on this specific CVE because I was looking for it, but it seems there are some general issues when applying multiple filters.
Regards,
PS: Thanks for this product, I find it very useful.
When email address is changed, confirmation should be reset. If a user change his email user, a new email need to be send for the confirmation. (and the state "confirmed" should be reset)
Hey can you change this ?
OLD (deprecated) models.py
from flask.ext.sqlalchemy import SQLAlchemy
from flask.ext.login import UserMixin, AnonymousUserMixin
from flask.ext.scrypt import generate_random_salt, generate_password_hash, check_password_hash
New 👍 models.py
from flask_sqlalchemy import SQLAlchemy
from flask_login import UserMixin, AnonymousUserMixin
from flask_scrypt import generate_random_salt, generate_password_hash, check_password_hash
And now i have this error
(virtenv) dsqd@ubuntu:~/cve-portal/app$ python create.py
Traceback (most recent call last):
File "create.py", line 3, in
models.db.drop_all()
File "/home/retis/cve-portal/app/virtenv/local/lib/python2.7/site-packages/flask_sqlalchemy/init.py", line 971, in drop_all
self._execute_for_all_tables(app, bind, 'drop_all')
File "/home/retis/cve-portal/app/virtenv/local/lib/python2.7/site-packages/flask_sqlalchemy/init.py", line 940, in _execute_for_all_tables
app = self.get_app(app)
File "/home/retis/cve-portal/app/virtenv/local/lib/python2.7/site-packages/flask_sqlalchemy/init.py", line 912, in get_app
'No application found. Either work inside a view function or push'
RuntimeError: No application found. Either work inside a view function or push an application context. See http://fla
Hello,
Following the install steps i cant pass the part when create.py is executed i got this:
Traceback (most recent call last):
File "create.py", line 3, in
models.db.drop_all()
File "/home/vagrant/git/cve-portal/app/virtenv/local/lib/python2.7/site-packages/flask_sqlalchemy/init.py", line 980, in drop_all
self._execute_for_all_tables(app, bind, 'drop_all')
File "/home/vagrant/git/cve-portal/app/virtenv/local/lib/python2.7/site-packages/flask_sqlalchemy/init.py", line 949, in _execute_for_all_tables
app = self.get_app(app)
File "/home/vagrant/git/cve-portal/app/virtenv/local/lib/python2.7/site-packages/flask_sqlalchemy/init.py", line 922, in get_app
raise RuntimeError('application not registered on db '
`RuntimeError: application not registered on db instance and no application bound to current context
Is there any problem in the code? or maybe i did something wrong before? I followed up all the steps without any problem and i had installed cve-search before too.
thanks for any advice.
passwords salts should not be stored within the same storage as the password hash to protect the hash in case of database breach.
Search is case sensitive, but it shouldn't (DB is lowercase only)
Resolve by treat input as lower case
/home/XXXXX/git/cve-portal/app/virtenv/local/lib/python2.7/site-packages/sqlalchemy/engine/default.py:436: Warning: Data truncated for column 'pgp' at row 1
cursor.execute(statement, parameters)
When a user registered and did not receive the confirmation mail the following error message is shown
"Need another confirmation email? Click here. " When the link is clicked no confirmation mail is received/sent. No message (success) is shown.
Token : change email/reset password
These token should not be constructed with a JSON Web Signature because it is vulnerable to an offline bruteforce attack and it provide the ability to take over any account .
These tokens must be generated randomly, saved into users db and cleared once the new password/email was confirmed.
For example, for CVE-2015-4491, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4491 says:
Vulnerable software and versions
+ Configuration 1
* AND
* OR
* cpe:/a:gnome:gdk-pixbuf:2.31.4 and previous versions
* OR
cpe:/a:mozilla:firefox_esr:38.0
cpe:/a:mozilla:firefox_esr:38.0.1
cpe:/a:mozilla:firefox_esr:38.0.5
cpe:/a:mozilla:firefox_esr:38.1.0
cpe:/a:mozilla:firefox:39.0.3 and previous versions
cpe:/o:linux:linux_kernel
cpe:/a:google:chrome:-
+ Configuration 2
* OR
* cpe:/o:fedoraproject:fedora:21
* cpe:/o:fedoraproject:fedora:22
* cpe:/o:novell:opensuse:13.1
* cpe:/o:novell:opensuse:13.2
* cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~
* cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
* cpe:/o:canonical:ubuntu_linux:15.04
while curl http://cve.circl.lu/api/cve/CVE-2015-4491 returns:
"vulnerable_configuration_cpe_2_2": [
"cpe:/a:gnome:gdk-pixbuf:2.31.4",
"cpe:/a:mozilla:firefox_esr:38.0",
"cpe:/a:mozilla:firefox_esr:38.0.1",
"cpe:/a:mozilla:firefox_esr:38.0.5",
"cpe:/a:mozilla:firefox_esr:38.1.0",
"cpe:/a:mozilla:firefox:39.0.3",
"cpe:/o:linux:linux_kernel",
"cpe:/a:google:chrome:-",
"cpe:/o:fedoraproject:fedora:21",
"cpe:/o:fedoraproject:fedora:22",
"cpe:/o:novell:opensuse:13.1",
"cpe:/o:novell:opensuse:13.2",
"cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:15.04"
]
(example shows cpe 2.2 but 2.3 isn't better)
It is impossible to know that all Firefox versions prior to 39.0.3 are vulnerables ("cpe:/a:mozilla:firefox:39.0.3 and previous versions" on NVD) with your current encoding.
Best regards,
Cyrille
It should say 'Filter' instead of 'Search'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.