How does Wazuh gets CVE (CPE?)

[Šimon Jung]

Hi Everyone, 

where from does Wazuh get those CVE? Does it consider small updates and patches? What about CPE?

[Marcel Kemp]

Hi Simon,

The CVEs shown in Wazuh come from the vulnerability feeds it consumes—mainly the NVD (National Vulnerability Database) and, when applicable, OVAL feeds provided by vendors/distributions. Wazuh then correlates those CVEs with the endpoint’s software inventory (installed packages and their versions) to determine exposure.

• Documentation: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html
• CTI: https://cti.wazuh.com/vulnerabilities/cves

Regarding your specific questions:

• Does it consider small updates and patches?

Yes, as long as they are reflected in the inventory as a version/release change and the feed defines affected/fixed versions accordingly. Wazuh’s detection is version-based; if a “patch” is applied without changing the reported package version, vulnerability detection cannot reliably distinguish it.

In the case of Windows, when installing a hotfix, we consider the list of vulnerabilities it fixes, so we verify the hotfixes to check that the OS does not have any affected vulnerabilities. 

We obtain this information from the official Microsoft website: https://msrc.microsoft.com/update-guide

• What about CPE?

Wazuh leverages CPE information (when available—especially from NVD) as part of the matching/correlation process between inventoried software and published vulnerabilities. The accuracy depends on how well the detected software can be mapped to the corresponding identifiers (e.g., CPE) and version ranges provided by the data sources.