Vulnerability detector details condition field missing
10 views
Skip to first unread message
Johny Novent
Dec 1, 2025, 3:22:18 PM (18 hours ago) Dec 1
to Wazuh | Mailing List
Hi Wazuh team
Recently I'm using the API of Wazuh to get vulnerabilities from agents
but I remember in earlier versions of Wazuh that the events come with "condition" field like this in a vulnerable package
,"condition":"Package less than or equal to 2.2.3",
,"condition":"Package less than 8.5.13",
I'm using wazuh version 4.10.1 right now
and in my alerts o json alerts I can't see this field
{
"_index": "wazuh-states-vulnerabilities-wazuh",
"_id": "01CVE-2025-55188",
"_score": 0,
"_source": {
"agent": {
"id": "011",
"name": "NAMEMACHINE",
"type": "Wazuh",
"version": "v4.10.1"
},
"host": {
"os": {
"full": "Microsoft Windows 11 Home Single Language 10",
"name": "Microsoft Windows 11 Home Single Language",
"platform": "windows",
"type": "windows",
"version": "10.0."
}
},
"package": {
"architecture": "x86_64",
"name": "7-Zip 2x.xxx (x64)",
"path": "C:\\Program Files\\7-Zip\\",
"size": 0,
"type": "win",
"version": "2x.xx"
},
"vulnerability": {
"category": "Packages",
"classification": "CVSS",
"description": "7-Zip before 25.01 does not always properly handle symbolic links during extraction.",
"detected_at": "2025-09-30T20:03:20.228Z",
"enumeration": "CVE",
"id": "CVE-2025-55188",
"published_at": "2025-08-08T21:15:25Z",
"reference": "https://github.com/ip7z/7zip/compare/25.00...25.01, https://sourceforge.net/p/sevenzip/discussion/45797/thread/da14cd780b/, https://github.com/ip7z/7zip/releases/tag/25.01, https://github.com/lunbun/CVE-2025-55188/, https://lunbun.dev/blog/cve-2025-55188/, https://www.openwall.com/lists/oss-security/2025/08/09/1, https://youtu.be/sWT6M1cfnwM",
"scanner": {
"source": "National Vulnerability Database",
"vendor": "Wazuh"
},
"score": {
"base": 3.6,
"version": "3.1"
},
"severity": "Low",
"under_evaluation": false
},
"wazuh": {
"cluster": {
"name": "wazuh"
},
"schema": {
"version": "1.0.0"
}
}
},
"fields": {
"vulnerability.detected_at": [
"2025-09-30T20:03:20.228Z"
],
"vulnerability.published_at": [
"2025-08-08T21:15:25.000Z"
]
}
}
I hope someone can help with this doubt about this field, thanks in advance
Natalia Castillo
1:28 AM (8 hours ago) 1:28 AM
to Wazuh | Mailing List
Hi Johny,
You are completely correct in your observation. The condition field (e.g., "Package less than...") is missing from the Vulnerability Inventory (State) API in version 4.10.1.
In Wazuh 4.8.0, we released a major refactor of the Vulnerability Detection module (VD 2.0). During this migration to the new state indices, the condition field was temporarily not mapped to the inventory documents. This is why you cannot see it in your current 4.10.1 setup.
This field was restored in Wazuh 4.12.0.
GitHub Issue: Vulnerability states do not have the package condition information #26496
Since the latest version is 4.14, upgrading your environment to 4.12.0 or higher will restore this field to your inventory API responses.
I recommend upgrading to get the latest changes and fixes. Let me know if you need help with the upgrade process!
In Wazuh 4.8.0, we released a major refactor of the Vulnerability Detection module (VD 2.0). During this migration to the new state indices, the condition field was temporarily not mapped to the inventory documents. This is why you cannot see it in your current 4.10.1 setup.
This field was restored in Wazuh 4.12.0.
GitHub Issue: Vulnerability states do not have the package condition information #26496
Since the latest version is 4.14, upgrading your environment to 4.12.0 or higher will restore this field to your inventory API responses.
I recommend upgrading to get the latest changes and fixes. Let me know if you need help with the upgrade process!
Reply all
Reply to author
Forward
0 new messages