pyTenable icon indicating copy to clipboard operation
pyTenable copied to clipboard

Published 20 hours ago verified publisher icon tenable

CVSSv3 filtering expects CVSSv2 regex

Open Access42-HN opened this issue 1 year ago • 2 comments

Describe the bug Whenever I try to retrieve vulnerabilities from the Tenable VM workbenches/vulnerabilities API using CVSSv3 filter plugin.attributes.cvss_temporal_vector.raw match E:H,E:F using the API explorer, curl or python requests, this works fine (as well as I URL encode the last string), but whenever I try to do the same with pyTenable, I get the following error: restfly.errors.UnexpectedValueError: filter_value has value of E%3AH%2CE%3AF. Does not match pattern ^CVSS2#E:(U|POC|F|H|ND)/RL:(OF|T|W|U|ND)/RC:(UC|UR|C|ND)(,(CVSS2#E:(U|POC|F|H|ND)/RL:(OF|T|W|U|ND)/RC:(UC|UR|C|ND)))*$ It expects a very specific filter value that starts with CVSS2, but the plugin.attributes.cvss_temporal_vector.raw applies to CVSSv3.

To Reproduce Steps to reproduce the behavior:

  1. Create an instance TenableIO class with proper keys
  2. Call workbenches.vulns() on it, with filter "plugin.attributes.cvss_temporal_vector.raw", filter quality "match", and filter value "E:H".
  3. See the error

Example code:

from tenable.io import TenableIO
tio = TenableIO("<redacted access key>","<redacted secret key>")
response = tio.workbenches.vulns(("plugin.attributes.cvss_temporal_vector.raw", "match", "E:H,E:F"))

Expected behavior Retrieve correct vulnerabilities

System Information (please complete the following information):

  • OS: Windows
  • Architecture: 64bit
  • Version: 10
  • Memory: 16G

Access42-HN avatar Oct 16 '23 16:10 Access42-HN

It seems that the error stems from the output of the workbench filter endpoint:

{
      "name": "plugin.attributes.cvss_temporal_vector.raw",
      "readable_name": "CVSS Temporal Vector",
      "control": {
        "type": "entry",
        "regex": "^CVSS2#E:(U|POC|F|H|ND)/RL:(OF|T|W|U|ND)/RC:(UC|UR|C|ND)(,(CVSS2#E:(U|POC|F|H|ND)/RL:(OF|T|W|U|ND)/RC:(UC|UR|C|ND)))*$",
        "readable_regex": "E:H, E:F"
      },
      "operators": [
        "match",
        "nmatch"
      ],
      "group_name": null
    }

This can be retrieved at https://cloud.tenable.com/filters/workbenches/vulnerabilities. Not sure if this is an issue with pyTenable or with the Tenable API backend.

Access42-HN avatar Oct 17 '23 08:10 Access42-HN

As the library gets its filter formatting from the upstream API, the issue would actually lie in the upstream API.

SteveMcGrath avatar Feb 12 '24 17:02 SteveMcGrath