Catalyst / admin/SAynapse-Horizon 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / SAynapse-Horizon

public

Self Hosted Cyber Threat Intelligence Hub

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
SAynapse-Horizon / Synapse-Horizon-v2 / backend / src / sources / cisakev.js 1713 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import { makeIoc, fetchWithTimeout, ok, failed, SEVERITY } from '../normalize.js'

// CISA Known Exploited Vulnerabilities — public JSON, no auth required.
const URL = 'https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json'
const LIMIT = 25

export const meta = { key: 'cisakev', requiresKey: false }

export function configured() {
  return true
}

export async function fetchSource() {
  const res = await fetchWithTimeout(URL)
  const data = await res.json()
  const vulns = Array.isArray(data?.vulnerabilities) ? data.vulnerabilities : []

  // Newest additions first.
  const recent = [...vulns]
    .sort((a, b) => new Date(b.dateAdded) - new Date(a.dateAdded))
    .slice(0, LIMIT)

  const iocs = recent.map((v) => {
    const ransomware = /known/i.test(v.knownRansomwareCampaignUse || '')
    const vendor = v.vendorProject || 'Unknown vendor'
    const product = v.product || 'affected product'
    return makeIoc('cisakev', {
      detectedAt: v.dateAdded,
      severity: SEVERITY.CRITICAL,
      category: 'Active Exploitation',
      indicator: v.cveID,
      indicatorType: 'cve',
      target: `${v.cveID} · ${vendor} ${product}`,
      confidence: 100,
      mitre: [{ id: 'T1190', name: 'Exploit Public-Facing Application' }],
      headline: `Active Exploitation: ${v.cveID} in ${vendor} ${product} added to CISA Known Exploited Vulnerabilities catalog${
        ransomware ? ' (known ransomware use)' : ''
      }`,
      raw: v,
      stix: {
        type: 'vulnerability',
        name: v.cveID,
        external_references: [{ source_name: 'cve', external_id: v.cveID }],
        labels: ['exploited-in-the-wild'],
      },
    })
  })

  return ok(iocs)
}