Skip to main content

Request IPS Threat Signature Metadata

The API Reference information for retrieving IPS threat signature metadata can be found here.

Overview

The Threat Vault API can be used to request IPS threat signature metadata. Consider the following examples:

Keep a few things in mind when formatting your API query:

  1. All the query strings in Get requests must be a URL-Encoded parameter string. If you use a space in the URL-Encoded request, you must include either a plus sign (+) or %20 to replace the space.
  2. You can specify the content type of the request body and response by specifying the Content-Type header. Some responses generate an HTTP response in addition to a JSON object.
  3. Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.

Example 1: Request information about a specific threat signature ID

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?id=30001'

A successful API call returns, within the contents section, status="success" along with the threat signature details, in this case, a vulnerability signature:

{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 1,
"data": {
"vulnerability": [
{
"id": "30001",
"name": "Novell GroupWise iCal RRULE Time Conversion Invalid Array Indexing Vulnerability",
"description": "Novell GroupWise 8.0 before HP3 is prone to a buffer overflow vulnerability while parsing certain crafted calendar requests. The vulnerability is due to an invalid array indexing error while parsing a crafted yearly RRULE variable in a VCALENDAR attachment. An attacker could exploit the vulnerability by sending a crafted VCALENDAR request in an e-mail message. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "overflow",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-server",
"cve": ["CVE-2011-2663"],
"vendor": [],
"reference": [
"http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=945"
],
"status": "released",
"details": {
"change_data": "updated associated default action to reset"
},
"ori_release_version": "650",
"latest_release_version": "8337",
"ori_release_time": "2016-12-29T16:55:04Z",
"latest_release_time": "2020-10-29T18:15:11Z"
}
]
},
"message": "Successful"
}

Example 2: Request information about threat signatures that match user-defined keywords

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?name=Code+Injection+JS'

A successful API call returns, within the Contents section, status="success" along with IPS threat signatures that contain any of the following strings: Code Injection or JS:

{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 1,
"data": {
"vulnerability": [
{
"id": "91119",
"name": "Node.js Code Injection Vulnerability",
"description": "Node.js is prone to a code injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable code injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "alert",
"cve": ["CVE-2020-28502"],
"vendor": [],
"reference": ["https://github.com/s-index/CVE-2020-28502"],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8406",
"latest_release_version": "8406",
"ori_release_time": "2021-05-14T05:00:11Z",
"latest_release_time": "2021-05-14T05:00:11Z"
}
]
},
"message": "Successful"
}

Example 3: Request information about threat signatures that match a specific CVE

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?cve=CVE-2020-2040'

A successful API call returns, within the Contents section, status="success" along with IPS threat signatures that directly match with CVE-2020-2040:

{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 4,
"data": {
"vulnerability": [
{
"id": "59255",
"name": "Palo Alto Networks PAN-OS Buffer Overflow Vulnerability",
"description": "Palo Alto Networks PAN-OS is prone to a buffer overflow vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable buffer overflow vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2020-2040"],
"vendor": [],
"reference": ["https://security.paloaltonetworks.com/CVE-2020-2040"],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8317",
"latest_release_version": "8317",
"ori_release_time": "2020-09-09T09:45:08Z",
"latest_release_time": "2020-09-09T09:45:08Z"
},
{
"id": "59259",
"name": "Palo Alto Networks PAN-OS Buffer Overflow Vulnerability",
"description": "Palo Alto Networks PAN-OS is prone to a buffer overflow vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable buffer overflow vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2020-2040"],
"vendor": [],
"reference": ["https://security.paloaltonetworks.com/CVE-2020-2040"],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8317",
"latest_release_version": "8317",
"ori_release_time": "2020-09-09T09:45:08Z",
"latest_release_time": "2020-09-09T09:45:08Z"
},
{
"id": "59267",
"name": "Palo Alto Networks PAN-OS Buffer Overflow Vulnerability",
"description": "Palo Alto Networks PAN-OS is prone to a buffer overflow vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable buffer overflow vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2020-2040"],
"vendor": [],
"reference": ["https://security.paloaltonetworks.com/CVE-2020-2040"],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8317",
"latest_release_version": "8317",
"ori_release_time": "2020-09-09T09:45:08Z",
"latest_release_time": "2020-09-09T09:45:08Z"
},
{
"id": "59270",
"name": "Palo Alto Networks PAN-OS Buffer Overflow Vulnerability",
"description": "Palo Alto Networks PAN-OS is prone to a buffer overflow vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable buffer overflow vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2020-2040"],
"vendor": [],
"reference": ["https://security.paloaltonetworks.com/CVE-2020-2040"],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8317",
"latest_release_version": "8317",
"ori_release_time": "2020-09-09T09:45:08Z",
"latest_release_time": "2020-09-09T09:45:08Z"
}
]
},
"message": "Successful"
}

Example 4: Request information about all threat signatures that matches with a partial CVE value

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?cve=CVE-2022'

A successful API call returns, within the Contents section, status="success" along with IPS threat signatures with include CVE-2022 in the CVE designation:

{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 392,
"data": {
"antivirus": [
{
"name": "Virus/Win32.CVE-2022-21916.a",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected Virus/Win32.CVE-2022-21916.a",
"action": "",
"id": "463306847",
"create_time": "2022-01-11T14:45:56Z",
"status": "active",
"related_sha256_hashes": [
"c84c708c5418dfd84fee0fec2fff4849995b6295d2e53e0fef05ad9e1e1dd979"
],
"release": {
"antivirus": {
"first_release_version": "3961",
"first_release_time": "2022-01-12T13:35:10Z",
"last_release_version": "3983",
"last_release_time": "2022-02-03T13:35:27Z"
},
"wildfire": {
"first_release_version": "630158",
"first_release_time": "2022-01-18T16:21:15Z",
"last_release_version": "630158",
"last_release_time": "2022-01-18T16:21:15Z"
}
}
},
{
"name": "Virus/Win32.CVE-2022-21897.a",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected Virus/Win32.CVE-2022-21897.a",
"action": "",
"id": "463306850",
"create_time": "2022-01-11T14:45:57Z",
"status": "active",
"related_sha256_hashes": [
"a6c4b5995d39ca65fcb4e6057d145d359c1a264c2d77d6d51c4426deaaf3a6c9"
],
"release": {
"antivirus": {
"first_release_version": "3961",
"first_release_time": "2022-01-12T13:35:10Z",
"last_release_version": "3983",
"last_release_time": "2022-02-03T13:35:27Z"
},
"wildfire": {
"first_release_version": "630158",
"first_release_time": "2022-01-18T16:21:15Z",
"last_release_version": "630158",
"last_release_time": "2022-01-18T16:21:15Z"
}
}
},
{
"name": "Virus/Win32.CVE-2022-21897.b",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected Virus/Win32.CVE-2022-21897.b",
"action": "",
"id": "463306853",
"create_time": "2022-01-11T14:45:57Z",
"status": "active",
"related_sha256_hashes": [
"795aaae65f37bf3dbde288d1cf7acd1d27bf4359d24a56555fcb3e6cb22c195a"
],
"release": {
"antivirus": {
"first_release_version": "3961",
"first_release_time": "2022-01-12T13:35:10Z",
"last_release_version": "3983",
"last_release_time": "2022-02-03T13:35:27Z"
},
"wildfire": {
"first_release_version": "630158",
"first_release_time": "2022-01-18T16:21:15Z",
"last_release_version": "630158",
"last_release_time": "2022-01-18T16:21:15Z"
}
}
},
{
"name": "Virus/Win32.CVE-2022-21908.a",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected Virus/Win32.CVE-2022-21908.a",
"action": "",
"id": "463306856",
"create_time": "2022-01-11T14:45:57Z",
"status": "active",
"related_sha256_hashes": [
"3f8bdcd8c3043ea206d0e40c9545f411090253be5239d1e477d41c5148afd7ff"
],
"release": {
"antivirus": {
"first_release_version": "3961",
"first_release_time": "2022-01-12T13:35:10Z",
"last_release_version": "3983",
"last_release_time": "2022-02-03T13:35:27Z"
},
"wildfire": {
"first_release_version": "630157",
"first_release_time": "2022-01-18T16:16:15Z",
"last_release_version": "630157",
"last_release_time": "2022-01-18T16:16:15Z"
}
}
},
===========================================================================
Shortened for brevity
===========================================================================
{
"id": "92977",
"name": "VMware Workspace Remote Code Execution Vulnerability",
"description": "VMware Workspace is prone to a remote code execution vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-server",
"cve": [
"CVE-2022-31659"
],
"vendor": [],
"reference": [
"https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8608",
"latest_release_version": "8608",
"ori_release_time": "2022-08-15T16:05:06Z",
"latest_release_time": "2022-08-15T16:05:06Z"
},
{
"id": "92978",
"name": "VMware Workspace Authentication Bypass Vulnerability",
"description": "VMware Workspace is prone to a authentication bypass vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable authentication bypass vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": [
"CVE-2022-31656"
],
"vendor": [],
"reference": [
"https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8608",
"latest_release_version": "8608",
"ori_release_time": "2022-08-15T16:05:06Z",
"latest_release_time": "2022-08-15T16:05:06Z"
}
]
},
"message": "Successful"
}


Example 5: Request information about IPS threat signatures released within a version range

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?fromReleaseVersion=8440&toReleaseVersion=8443'

A successful API call returns, within the Contents section, status="success" along with the IPS threat signatures that have been released between content release version 8440 and 8443:

{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 30,
"data": {
"spyware": [
{
"id": "21558",
"name": "Begseabug Worm Traffic Detection",
"description": "This signature detects traffic generated by Begseabug worm.",
"category": "net-worm",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "21571",
"name": "vjW0rm Worm Traffic Detection",
"description": "This signature detects traffic generated by vjW0rm worm.",
"category": "net-worm",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "21572",
"name": "Generic Trojan Downloader Traffic Detection",
"description": "This signature detects malicious file downloader traffic.",
"category": "downloader",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "21574",
"name": "Andromeda Command and Control Traffic Detection",
"description": "This signature detects command and control traffic generated by Andromeda.",
"category": "command-and-control",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "21587",
"name": "Sality Command and Control Traffic Detection",
"description": "This signature detects command and control traffic generated by Sality.",
"category": "command-and-control",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "80858",
"name": "Webshell.CFM.tennc.Cmd_Shell File Detection",
"description": "This signature covers webshells from the tennc repository. This webshell provides unauthorized remote access to underlying operating system functions on the compromised system, potentially enabling remote code execution, data exfiltration, and mounting multi-stage cyber attacks.",
"category": "webshell",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/tennc/webshell/tree/master//net-friend/cfm/mycode12.cfm"
],
"status": "released",
"details": {
"change_data": "improved detection logic for decoder updates"
},
"ori_release_version": "8165",
"latest_release_version": "8443",
"ori_release_time": "2019-06-25T17:45:09Z",
"latest_release_time": "2021-08-10T17:50:06Z"
}
],
"vulnerability": [
{
"id": "33049",
"name": "Adobe Reader Memory Corruption Vulnerability",
"description": "Adobe Reader is prone to a memory corruption vulnerability while parsing certain crafted PDF files. The vulnerability is due to the lack of proper checks on PDF files, leading to an exploitable memory corruption vulnerability. An attacker could exploit the vulnerability by sending a crafted PDF file. A successful attack could lead to remote code execution with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2017-2960"],
"vendor": ["APSB17-01"],
"reference": [
"https://helpx.adobe.com/security/products/acrobat/apsb17-01.html"
],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "676",
"latest_release_version": "8440",
"ori_release_time": "2017-03-21T17:15:04Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "33361",
"name": "Intel vPro Management Modules Authentication Bypass Vulnerability",
"description": "Intel vPro including Intel Active Management Technology (AMT) is prone to an authentication bypass vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable authentication bypass vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to information disclosure with the privileges of the server.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2017-5689"],
"vendor": [],
"reference": [
"https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf",
"https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr",
"https://www.embedi.com/news/mythbusters-cve-2017-5689",
"http://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability"
],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "699",
"latest_release_version": "8442",
"ori_release_time": "2017-05-16T12:10:03Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "58544",
"name": "Multiple Products RMI Insecure Deserialization Vulnerability",
"description": "Multiple Products are prone to an insecure deserialization vulnerability while parsing certain crafted RMI requests. The vulnerability is due to the lack of proper checks on RMI requests, leading to an exploitable insecure deserialization vulnerability. An attacker could exploit the vulnerability by sending crafted RMI requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2020-3280", "CVE-2020-36239"],
"vendor": [],
"reference": [
"https://threatpost.com/critical-cisco-rce-flaw-unified-ccx/155980/",
"https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8285",
"latest_release_version": "8442",
"ori_release_time": "2020-06-23T16:25:11Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "91155",
"name": "ImageMagick Server-Side Request Forgery Vulnerability",
"description": "ImageMagick is prone to a server-side request forgery vulnerability while parsing certain crafted MVG files. The vulnerability is due to the lack of proper checks on MVG files, leading to an exploitable server-side request forgery vulnerability. An attacker could exploit the vulnerability by sending a crafted MVG file. A successful attack could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2016-3718"],
"vendor": [],
"reference": ["https://www.exploit-db.com/exploits/39767"],
"status": "released",
"details": {
"change_data": "updated associated metadata information"
},
"ori_release_version": "8438",
"latest_release_version": "8440",
"ori_release_time": "2021-08-02T23:45:04Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91340",
"name": "Online Pet Shop We App SQL Injection Vulnerability",
"description": "Online Pet Shop We App is prone to a SQL injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable SQL injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "sql-injection",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2021-35458"],
"vendor": [],
"reference": [
"https://dl.packetstormsecurity.net/2106-exploits/onlinepetshop10-sqlshell.pdf"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8425",
"latest_release_version": "8440",
"ori_release_time": "2021-07-02T18:30:08Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91362",
"name": "Impacket WMIExec Detection",
"description": "This signature detects the post-exploitation tool WMIExec by Impacket. The trigger of this signature should not be considered malicious all the time as it could be used by legitimate users to execute commands on a remote machine, but this tool is used widely by researchers and attackers for lateral movement.",
"category": "hacktool",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91377",
"name": "Microsoft Outlook Information Disclosure Vulnerability",
"description": "Microsoft Outlook is prone to an information disclosure vulnerability while parsing certain crafted TNEF files. The vulnerability is due to the lack of proper checks on TNEF files, leading to an exploitable information disclosure vulnerability. An attacker could exploit the vulnerability by sending a crafted TNEF file. A successful attack could lead to information disclosure with the privileges of the server.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2020-1493"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1493"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91379",
"name": "Dubbo Telnet Handler Remote Code Execution Vulnerability",
"description": "Dubbo Telnet Handler is prone to a remote code execution vulnerability while parsing certain crafted TELNET requests. The vulnerability is due to the lack of proper checks on TELNET requests, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending crafted TELNET requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2021-32824"],
"vendor": [],
"reference": [
"https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8442",
"latest_release_version": "8442",
"ori_release_time": "2021-08-10T03:45:09Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "91420",
"name": "OTRS Remote Code Execution Vulnerability",
"description": "OTRS is prone to a remote code execution vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-server",
"cve": ["CVE-2017-16921"],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91431",
"name": "Google Chrome Use-After-Free Vulnerability",
"description": "Google Chrome is prone to a use-after-free vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable use-after-free vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to memory corruption condition with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2021-21232"],
"vendor": [],
"reference": [
"https://bugs.chromium.org/p/chromium/issues/detail?id=1175058"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91432",
"name": "Google Chrome Use-After-Free Vulnerability",
"description": "Google Chrome is prone to a use-after-free vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable use-after-free vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to memory corruption condition with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2021-21202"],
"vendor": [],
"reference": [
"https://bugs.chromium.org/p/chromium/issues/detail?id=1188889"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91433",
"name": "Google Chrome Use-After-Free Vulnerability",
"description": "Google Chrome is prone to a use-after-free vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable use-after-free vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to memory corruption condition with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": ["CVE-2021-21226"],
"vendor": [],
"reference": [
"https://bugs.chromium.org/p/chromium/issues/detail?id=1197904"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91434",
"name": "Microsoft Scripting Engine Memory Corruption Vulnerability",
"description": "Microsoft Scripting Engine is prone to a memory corruption vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable memory corruption vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to memory corruption condition with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2021-34480"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34480"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91438",
"name": "Microsoft Remote Desktop Client Remote Code Execution Vulnerability",
"description": "Microsoft Remote Desktop Client is prone to an integer overflow vulnerability while parsing certain crafted RDP responses. The vulnerability is due to the lack of proper checks on RDP responses, leading to an exploitable integer overflow vulnerability. An attacker could exploit the vulnerability by sending a crafted RDP response. A successful attack could lead to remote code execution with the privileges of the currently logged-in user.",
"category": "overflow",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-client",
"cve": ["CVE-2021-34535"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34535"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91441",
"name": "HTTP SQL Injection Attempt",
"description": "SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is, in fact, an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.",
"category": "sql-injection",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"http://en.wikipedia.org/wiki/SQL_injection",
"http://www.modsecurity.org/blog/archives/2008/01/sql_injection_a.html"
],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91442",
"name": "ViewGood CMS SQL Injection Vulnerability",
"description": "ViewGood CMS is prone to a SQL injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable SQL injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "sql-injection",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/Lucifer1993/AngelSword/blob/master/cms/viewgood/viewgood_two_sqli.py"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8442",
"latest_release_version": "8442",
"ori_release_time": "2021-08-10T03:45:09Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "91443",
"name": "Microsoft Outlook Web Access Login Form Remote URI Redirection Vulnerability",
"description": "Microsoft Outlook Web Access (OWA) is prone to a remote URI redirection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable URI redirection vulnerability. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful exploit could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2005-0420"],
"vendor": [],
"reference": ["https://www.securityfocus.com/bid/12459/exploit"],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91444",
"name": "Hikvision IP Camera Unauthenticated Information Disclosure Vulnerability",
"description": "Hikvision IP Camera is prone to an information disclosure vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable information disclosure vulnerability. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": ["https://ipvm.com/reports/hik-exploit"],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91446",
"name": "Sunhillo SureLine Unauthenticated OS Command Injection Vulnerability",
"description": "Sunhillo SureLine is prone to an OS command injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable OS command injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-server",
"cve": ["CVE-2021-36380"],
"vendor": [],
"reference": [
"https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91450",
"name": "Microsoft Windows Services For NFS RPC XDR Kernel Driver Remote Code Execution Vulnerability",
"description": "Microsoft Windows NFS RPC XDR Kernel Driver is prone to an out-of-bound memory write vulnerability while parsing certain crafted NFS requests. The vulnerability is due to the lack of proper checks on NFS requests, leading to an exploitable out-of-bound memory write vulnerability. An attacker could exploit the vulnerability by sending crafted NFS requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "alert",
"cve": ["CVE-2021-26432"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-26432"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91451",
"name": "Lucee Admin Remote Code Execution Vulnerability",
"description": "Lucee Admin is prone to a remote code execution vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2021-21307"],
"vendor": [],
"reference": [
"https://github.com/cyllective/CVEs/tree/master/CVE-2021-21307"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91454",
"name": "Pet Shop We App File Upload Vulnerability",
"description": "Pet Shop We App is prone to a file upload vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable file upload vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2021-35456"],
"vendor": [],
"reference": [
"https://packetstormsecurity.com/files/download/163282/onlinepetshop10-sqlshell.pdf"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91474",
"name": "Agentejo Cockpit NoSQL Injection Vulnerability",
"description": "Agentejo Cockpit is prone to a NoSQL injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable NoSQL injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2020-35847", "CVE-2020-35848"],
"vendor": [],
"reference": [
"https://github.com/w33vils/CVE-2020-35847_CVE-2020-35848",
"https://swarm.ptsecurity.com/rce-cockpit-cms/"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8441",
"latest_release_version": "8441",
"ori_release_time": "2021-08-06T23:35:07Z",
"latest_release_time": "2021-08-06T23:35:07Z"
},
{
"id": "91476",
"name": "Microsoft Exchange Server Cross-Site Scripting Vulnerability",
"description": "Microsoft Exchange Server is prone to a cross-site scripting vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable cross-site scripting vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-server",
"cve": ["CVE-2021-31195"],
"vendor": [],
"reference": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31195"
],
"status": "released",
"details": [],
"ori_release_version": "8441",
"latest_release_version": "8441",
"ori_release_time": "2021-08-06T23:35:07Z",
"latest_release_time": "2021-08-06T23:35:07Z"
}
]
},
"message": "Successful"
}

Example 6: Request information about IPS threat signatures released within a date range

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?fromReleaseDate=2021-08-05&toReleaseDate=2021-08-10'

A successful API call returns, within the Contents section, status="success" along with the IPS threat signatures that have been released between the May 05 2021 and October 10 2021:

{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 30,
"data": {
"spyware": [
{
"id": "21558",
"name": "Begseabug Worm Traffic Detection",
"description": "This signature detects traffic generated by Begseabug worm.",
"category": "net-worm",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "21571",
"name": "vjW0rm Worm Traffic Detection",
"description": "This signature detects traffic generated by vjW0rm worm.",
"category": "net-worm",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "21572",
"name": "Generic Trojan Downloader Traffic Detection",
"description": "This signature detects malicious file downloader traffic.",
"category": "downloader",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "21574",
"name": "Andromeda Command and Control Traffic Detection",
"description": "This signature detects command and control traffic generated by Andromeda.",
"category": "command-and-control",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "21587",
"name": "Sality Command and Control Traffic Detection",
"description": "This signature detects command and control traffic generated by Sality.",
"category": "command-and-control",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "80858",
"name": "Webshell.CFM.tennc.Cmd_Shell File Detection",
"description": "This signature covers webshells from the tennc repository. This webshell provides unauthorized remote access to underlying operating system functions on the compromised system, potentially enabling remote code execution, data exfiltration, and mounting multi-stage cyber attacks.",
"category": "webshell",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/tennc/webshell/tree/master//net-friend/cfm/mycode12.cfm"
],
"status": "released",
"details": {
"change_data": "improved detection logic for decoder updates"
},
"ori_release_version": "8165",
"latest_release_version": "8443",
"ori_release_time": "2019-06-25T17:45:09Z",
"latest_release_time": "2021-08-10T17:50:06Z"
}
],
"vulnerability": [
{
"id": "33049",
"name": "Adobe Reader Memory Corruption Vulnerability",
"description": "Adobe Reader is prone to a memory corruption vulnerability while parsing certain crafted PDF files. The vulnerability is due to the lack of proper checks on PDF files, leading to an exploitable memory corruption vulnerability. An attacker could exploit the vulnerability by sending a crafted PDF file. A successful attack could lead to remote code execution with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2017-2960"],
"vendor": ["APSB17-01"],
"reference": [
"https://helpx.adobe.com/security/products/acrobat/apsb17-01.html"
],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "676",
"latest_release_version": "8440",
"ori_release_time": "2017-03-21T17:15:04Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "33361",
"name": "Intel vPro Management Modules Authentication Bypass Vulnerability",
"description": "Intel vPro including Intel Active Management Technology (AMT) is prone to an authentication bypass vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable authentication bypass vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to information disclosure with the privileges of the server.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2017-5689"],
"vendor": [],
"reference": [
"https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf",
"https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr",
"https://www.embedi.com/news/mythbusters-cve-2017-5689",
"http://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability"
],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "699",
"latest_release_version": "8442",
"ori_release_time": "2017-05-16T12:10:03Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "58544",
"name": "Multiple Products RMI Insecure Deserialization Vulnerability",
"description": "Multiple Products are prone to an insecure deserialization vulnerability while parsing certain crafted RMI requests. The vulnerability is due to the lack of proper checks on RMI requests, leading to an exploitable insecure deserialization vulnerability. An attacker could exploit the vulnerability by sending crafted RMI requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2020-3280", "CVE-2020-36239"],
"vendor": [],
"reference": [
"https://threatpost.com/critical-cisco-rce-flaw-unified-ccx/155980/",
"https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8285",
"latest_release_version": "8442",
"ori_release_time": "2020-06-23T16:25:11Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "91155",
"name": "ImageMagick Server-Side Request Forgery Vulnerability",
"description": "ImageMagick is prone to a server-side request forgery vulnerability while parsing certain crafted MVG files. The vulnerability is due to the lack of proper checks on MVG files, leading to an exploitable server-side request forgery vulnerability. An attacker could exploit the vulnerability by sending a crafted MVG file. A successful attack could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2016-3718"],
"vendor": [],
"reference": ["https://www.exploit-db.com/exploits/39767"],
"status": "released",
"details": {
"change_data": "updated associated metadata information"
},
"ori_release_version": "8438",
"latest_release_version": "8440",
"ori_release_time": "2021-08-02T23:45:04Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91340",
"name": "Online Pet Shop We App SQL Injection Vulnerability",
"description": "Online Pet Shop We App is prone to a SQL injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable SQL injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "sql-injection",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2021-35458"],
"vendor": [],
"reference": [
"https://dl.packetstormsecurity.net/2106-exploits/onlinepetshop10-sqlshell.pdf"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8425",
"latest_release_version": "8440",
"ori_release_time": "2021-07-02T18:30:08Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91362",
"name": "Impacket WMIExec Detection",
"description": "This signature detects the post-exploitation tool WMIExec by Impacket. The trigger of this signature should not be considered malicious all the time as it could be used by legitimate users to execute commands on a remote machine, but this tool is used widely by researchers and attackers for lateral movement.",
"category": "hacktool",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91377",
"name": "Microsoft Outlook Information Disclosure Vulnerability",
"description": "Microsoft Outlook is prone to an information disclosure vulnerability while parsing certain crafted TNEF files. The vulnerability is due to the lack of proper checks on TNEF files, leading to an exploitable information disclosure vulnerability. An attacker could exploit the vulnerability by sending a crafted TNEF file. A successful attack could lead to information disclosure with the privileges of the server.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2020-1493"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1493"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91379",
"name": "Dubbo Telnet Handler Remote Code Execution Vulnerability",
"description": "Dubbo Telnet Handler is prone to a remote code execution vulnerability while parsing certain crafted TELNET requests. The vulnerability is due to the lack of proper checks on TELNET requests, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending crafted TELNET requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2021-32824"],
"vendor": [],
"reference": [
"https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8442",
"latest_release_version": "8442",
"ori_release_time": "2021-08-10T03:45:09Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "91420",
"name": "OTRS Remote Code Execution Vulnerability",
"description": "OTRS is prone to a remote code execution vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-server",
"cve": ["CVE-2017-16921"],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91431",
"name": "Google Chrome Use-After-Free Vulnerability",
"description": "Google Chrome is prone to a use-after-free vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable use-after-free vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to memory corruption condition with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2021-21232"],
"vendor": [],
"reference": [
"https://bugs.chromium.org/p/chromium/issues/detail?id=1175058"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91432",
"name": "Google Chrome Use-After-Free Vulnerability",
"description": "Google Chrome is prone to a use-after-free vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable use-after-free vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to memory corruption condition with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2021-21202"],
"vendor": [],
"reference": [
"https://bugs.chromium.org/p/chromium/issues/detail?id=1188889"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91433",
"name": "Google Chrome Use-After-Free Vulnerability",
"description": "Google Chrome is prone to a use-after-free vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable use-after-free vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to memory corruption condition with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": ["CVE-2021-21226"],
"vendor": [],
"reference": [
"https://bugs.chromium.org/p/chromium/issues/detail?id=1197904"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91434",
"name": "Microsoft Scripting Engine Memory Corruption Vulnerability",
"description": "Microsoft Scripting Engine is prone to a memory corruption vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable memory corruption vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to memory corruption condition with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2021-34480"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34480"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91438",
"name": "Microsoft Remote Desktop Client Remote Code Execution Vulnerability",
"description": "Microsoft Remote Desktop Client is prone to an integer overflow vulnerability while parsing certain crafted RDP responses. The vulnerability is due to the lack of proper checks on RDP responses, leading to an exploitable integer overflow vulnerability. An attacker could exploit the vulnerability by sending a crafted RDP response. A successful attack could lead to remote code execution with the privileges of the currently logged-in user.",
"category": "overflow",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-client",
"cve": ["CVE-2021-34535"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34535"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91441",
"name": "HTTP SQL Injection Attempt",
"description": "SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is, in fact, an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.",
"category": "sql-injection",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"http://en.wikipedia.org/wiki/SQL_injection",
"http://www.modsecurity.org/blog/archives/2008/01/sql_injection_a.html"
],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91442",
"name": "ViewGood CMS SQL Injection Vulnerability",
"description": "ViewGood CMS is prone to a SQL injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable SQL injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "sql-injection",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/Lucifer1993/AngelSword/blob/master/cms/viewgood/viewgood_two_sqli.py"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8442",
"latest_release_version": "8442",
"ori_release_time": "2021-08-10T03:45:09Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "91443",
"name": "Microsoft Outlook Web Access Login Form Remote URI Redirection Vulnerability",
"description": "Microsoft Outlook Web Access (OWA) is prone to a remote URI redirection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable URI redirection vulnerability. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful exploit could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2005-0420"],
"vendor": [],
"reference": ["https://www.securityfocus.com/bid/12459/exploit"],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91444",
"name": "Hikvision IP Camera Unauthenticated Information Disclosure Vulnerability",
"description": "Hikvision IP Camera is prone to an information disclosure vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable information disclosure vulnerability. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": ["https://ipvm.com/reports/hik-exploit"],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91446",
"name": "Sunhillo SureLine Unauthenticated OS Command Injection Vulnerability",
"description": "Sunhillo SureLine is prone to an OS command injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable OS command injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-server",
"cve": ["CVE-2021-36380"],
"vendor": [],
"reference": [
"https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91450",
"name": "Microsoft Windows Services For NFS RPC XDR Kernel Driver Remote Code Execution Vulnerability",
"description": "Microsoft Windows NFS RPC XDR Kernel Driver is prone to an out-of-bound memory write vulnerability while parsing certain crafted NFS requests. The vulnerability is due to the lack of proper checks on NFS requests, leading to an exploitable out-of-bound memory write vulnerability. An attacker could exploit the vulnerability by sending crafted NFS requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "alert",
"cve": ["CVE-2021-26432"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-26432"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91451",
"name": "Lucee Admin Remote Code Execution Vulnerability",
"description": "Lucee Admin is prone to a remote code execution vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2021-21307"],
"vendor": [],
"reference": [
"https://github.com/cyllective/CVEs/tree/master/CVE-2021-21307"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91454",
"name": "Pet Shop We App File Upload Vulnerability",
"description": "Pet Shop We App is prone to a file upload vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable file upload vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2021-35456"],
"vendor": [],
"reference": [
"https://packetstormsecurity.com/files/download/163282/onlinepetshop10-sqlshell.pdf"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8440",
"latest_release_version": "8440",
"ori_release_time": "2021-08-06T02:30:09Z",
"latest_release_time": "2021-08-06T02:30:09Z"
},
{
"id": "91474",
"name": "Agentejo Cockpit NoSQL Injection Vulnerability",
"description": "Agentejo Cockpit is prone to a NoSQL injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable NoSQL injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2020-35847", "CVE-2020-35848"],
"vendor": [],
"reference": [
"https://github.com/w33vils/CVE-2020-35847_CVE-2020-35848",
"https://swarm.ptsecurity.com/rce-cockpit-cms/"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8441",
"latest_release_version": "8441",
"ori_release_time": "2021-08-06T23:35:07Z",
"latest_release_time": "2021-08-06T23:35:07Z"
},
{
"id": "91476",
"name": "Microsoft Exchange Server Cross-Site Scripting Vulnerability",
"description": "Microsoft Exchange Server is prone to a cross-site scripting vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable cross-site scripting vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-server",
"cve": ["CVE-2021-31195"],
"vendor": [],
"reference": [
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31195"
],
"status": "released",
"details": [],
"ori_release_version": "8441",
"latest_release_version": "8441",
"ori_release_time": "2021-08-06T23:35:07Z",
"latest_release_time": "2021-08-06T23:35:07Z"
}
]
},
"message": "Successful"
}

Example 7: Request information about IPS signatures included in a specific release

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?releaseVersion=8447'

A successful API call returns, within the Contents section, status="success" along with the IPS threat signatures released in content release version 8447:

{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 6,
"data": {
"vulnerability": [
{
"id": "31321",
"name": "Symantec VERITAS NetBackup Buffer Overflow Vulnerability",
"description": "Symantec VERITAS NetBackup is prone to a buffer overflow vulnerability while parsing certain crafted TCP requests. The vulnerability is due to the lack of proper checks on TCP requests, leading to an exploitable buffer overflow vulnerability. An attacker could exploit the vulnerability by sending crafted TCP requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "overflow",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "alert",
"cve": ["CVE-2006-0991"],
"vendor": [],
"reference": ["http://support.veritas.com/docs/281521"],
"status": "released",
"details": {
"change_data": "improved detection logic for decoder updates"
},
"ori_release_version": "107",
"latest_release_version": "8447",
"ori_release_time": "2009-02-06T00:00:00Z",
"latest_release_time": "2021-08-19T05:10:05Z"
},
{
"id": "57523",
"name": "Trimble SketchUp BMP RLE4 Heap Buffer Overflow Vulnerability",
"description": "Trimble Navigation Sketchup is prone to a remote code execution vulnerability while parsing certain crafted BMP files. The vulnerability is due to the lack of proper checks on BMP files, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending a crafted BMP file. A successful attack could lead to remote code execution with the privileges of the logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "alert",
"cve": ["CVE-2013-3664"],
"vendor": [],
"reference": [
"http://blog.binamuse.com/2013/05/multiple-vulnerabilities-on-sketchup.html"
],
"status": "released",
"details": {
"change_data": "improved detection logic for decoder updates"
},
"ori_release_version": "8227",
"latest_release_version": "8447",
"ori_release_time": "2020-01-17T17:30:05Z",
"latest_release_time": "2021-08-19T05:10:05Z"
},
{
"id": "59236",
"name": "Trimble SketchUp BMP RLE4 Heap Buffer Overflow Vulnerability",
"description": "Trimble Navigation Sketchup is prone to a remote code execution vulnerability while parsing certain crafted BMP files. The vulnerability is due to the lack of proper checks on BMP files, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending a crafted BMP file. A successful attack could lead to remote code execution with the privileges of the logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "alert",
"cve": ["CVE-2013-3663"],
"vendor": [],
"reference": [
"http://www.sketchup.com/products/sketchup-pro/new-in-2013"
],
"status": "released",
"details": {
"change_data": "improved detection logic for decoder updates"
},
"ori_release_version": "8318",
"latest_release_version": "8447",
"ori_release_time": "2020-09-10T12:35:07Z",
"latest_release_time": "2021-08-19T05:10:05Z"
},
{
"id": "91363",
"name": "Impacket ATExec Detection",
"description": "This signature detects the post-exploitation tool ATExec by Impacket. The trigger of this signature should not be considered malicious all the time as it could be used by legitimate users to execute commands on a remote machine, but this tool is used widely by researchers and attackers for lateral movement.",
"category": "hacktool",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8447",
"latest_release_version": "8447",
"ori_release_time": "2021-08-19T05:10:05Z",
"latest_release_time": "2021-08-19T05:10:05Z"
},
{
"id": "91468",
"name": "Tenda AC11 Stack Buffer Overflow Vulnerability",
"description": "Tenda AC11 devices with firmware up to and including 02.03.01.104_CN is prone to a stack buffer overflow vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on mac input in HTTP requests, leading to an exploitable buffer overflow. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to arbitrary code execution.",
"category": "overflow",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2021-31755"],
"vendor": [],
"reference": ["https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_3"],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8447",
"latest_release_version": "8447",
"ori_release_time": "2021-08-19T05:10:05Z",
"latest_release_time": "2021-08-19T05:10:05Z"
},
{
"id": "91510",
"name": "Google Chrome Type Confusion Vulnerability",
"description": "Google Chrome is prone to a type confusion vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable type confusion vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to remote code execution with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2021-30517"],
"vendor": [],
"reference": [
"https://bugs.chromium.org/p/chromium/issues/detail?id=1203122"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8447",
"latest_release_version": "8447",
"ori_release_time": "2021-08-19T05:10:05Z",
"latest_release_time": "2021-08-19T05:10:05Z"
}
]
},
"message": "Successful"
}

Example 8: Request information about IPS signatures released on a specific date:

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?releaseDate=2021-08-10'

A successful API call returns, within the Contents section, status="success" along with the IPS threat signatures released on August 10 2021:

{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 15,
"data": {
"spyware": [
{
"id": "21571",
"name": "vjW0rm Worm Traffic Detection",
"description": "This signature detects traffic generated by vjW0rm worm.",
"category": "net-worm",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "21572",
"name": "Generic Trojan Downloader Traffic Detection",
"description": "This signature detects malicious file downloader traffic.",
"category": "downloader",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "21574",
"name": "Andromeda Command and Control Traffic Detection",
"description": "This signature detects command and control traffic generated by Andromeda.",
"category": "command-and-control",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "21587",
"name": "Sality Command and Control Traffic Detection",
"description": "This signature detects command and control traffic generated by Sality.",
"category": "command-and-control",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "80858",
"name": "Webshell.CFM.tennc.Cmd_Shell File Detection",
"description": "This signature covers webshells from the tennc repository. This webshell provides unauthorized remote access to underlying operating system functions on the compromised system, potentially enabling remote code execution, data exfiltration, and mounting multi-stage cyber attacks.",
"category": "webshell",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/tennc/webshell/tree/master//net-friend/cfm/mycode12.cfm"
],
"status": "released",
"details": {
"change_data": "improved detection logic for decoder updates"
},
"ori_release_version": "8165",
"latest_release_version": "8443",
"ori_release_time": "2019-06-25T17:45:09Z",
"latest_release_time": "2021-08-10T17:50:06Z"
}
],
"vulnerability": [
{
"id": "33361",
"name": "Intel vPro Management Modules Authentication Bypass Vulnerability",
"description": "Intel vPro including Intel Active Management Technology (AMT) is prone to an authentication bypass vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable authentication bypass vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to information disclosure with the privileges of the server.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2017-5689"],
"vendor": [],
"reference": [
"https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf",
"https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr",
"https://www.embedi.com/news/mythbusters-cve-2017-5689",
"http://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability"
],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "699",
"latest_release_version": "8442",
"ori_release_time": "2017-05-16T12:10:03Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "58544",
"name": "Multiple Products RMI Insecure Deserialization Vulnerability",
"description": "Multiple Products are prone to an insecure deserialization vulnerability while parsing certain crafted RMI requests. The vulnerability is due to the lack of proper checks on RMI requests, leading to an exploitable insecure deserialization vulnerability. An attacker could exploit the vulnerability by sending crafted RMI requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-server",
"cve": ["CVE-2020-3280", "CVE-2020-36239"],
"vendor": [],
"reference": [
"https://threatpost.com/critical-cisco-rce-flaw-unified-ccx/155980/",
"https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8285",
"latest_release_version": "8442",
"ori_release_time": "2020-06-23T16:25:11Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "91362",
"name": "Impacket WMIExec Detection",
"description": "This signature detects the post-exploitation tool WMIExec by Impacket. The trigger of this signature should not be considered malicious all the time as it could be used by legitimate users to execute commands on a remote machine, but this tool is used widely by researchers and attackers for lateral movement.",
"category": "hacktool",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91379",
"name": "Dubbo Telnet Handler Remote Code Execution Vulnerability",
"description": "Dubbo Telnet Handler is prone to a remote code execution vulnerability while parsing certain crafted TELNET requests. The vulnerability is due to the lack of proper checks on TELNET requests, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending crafted TELNET requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2021-32824"],
"vendor": [],
"reference": [
"https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8442",
"latest_release_version": "8442",
"ori_release_time": "2021-08-10T03:45:09Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "91434",
"name": "Microsoft Scripting Engine Memory Corruption Vulnerability",
"description": "Microsoft Scripting Engine is prone to a memory corruption vulnerability while parsing certain crafted HTML files. The vulnerability is due to the lack of proper checks on HTML files, leading to an exploitable memory corruption vulnerability. An attacker could exploit the vulnerability by sending a crafted HTML file. A successful attack could lead to memory corruption condition with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": ["CVE-2021-34480"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34480"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91438",
"name": "Microsoft Remote Desktop Client Remote Code Execution Vulnerability",
"description": "Microsoft Remote Desktop Client is prone to an integer overflow vulnerability while parsing certain crafted RDP responses. The vulnerability is due to the lack of proper checks on RDP responses, leading to an exploitable integer overflow vulnerability. An attacker could exploit the vulnerability by sending a crafted RDP response. A successful attack could lead to remote code execution with the privileges of the currently logged-in user.",
"category": "overflow",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "reset-client",
"cve": ["CVE-2021-34535"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34535"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91442",
"name": "ViewGood CMS SQL Injection Vulnerability",
"description": "ViewGood CMS is prone to a SQL injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable SQL injection vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "sql-injection",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"https://github.com/Lucifer1993/AngelSword/blob/master/cms/viewgood/viewgood_two_sqli.py"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8442",
"latest_release_version": "8442",
"ori_release_time": "2021-08-10T03:45:09Z",
"latest_release_time": "2021-08-10T03:45:09Z"
},
{
"id": "91443",
"name": "Microsoft Outlook Web Access Login Form Remote URI Redirection Vulnerability",
"description": "Microsoft Outlook Web Access (OWA) is prone to a remote URI redirection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable URI redirection vulnerability. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful exploit could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": ["CVE-2005-0420"],
"vendor": [],
"reference": ["https://www.securityfocus.com/bid/12459/exploit"],
"status": "released",
"details": {
"change_data": "improved detection logic to cover a new exploit"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91444",
"name": "Hikvision IP Camera Unauthenticated Information Disclosure Vulnerability",
"description": "Hikvision IP Camera is prone to an information disclosure vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable information disclosure vulnerability. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to information disclosure.",
"category": "info-leak",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": ["https://ipvm.com/reports/hik-exploit"],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
},
{
"id": "91450",
"name": "Microsoft Windows Services For NFS RPC XDR Kernel Driver Remote Code Execution Vulnerability",
"description": "Microsoft Windows NFS RPC XDR Kernel Driver is prone to an out-of-bound memory write vulnerability while parsing certain crafted NFS requests. The vulnerability is due to the lack of proper checks on NFS requests, leading to an exploitable out-of-bound memory write vulnerability. An attacker could exploit the vulnerability by sending crafted NFS requests. A successful attack could lead to remote code execution with the privileges of the server.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "critical",
"default_action": "alert",
"cve": ["CVE-2021-26432"],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-26432"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8443",
"latest_release_version": "8443",
"ori_release_time": "2021-08-10T17:50:06Z",
"latest_release_time": "2021-08-10T17:50:06Z"
}
]
},
"message": "Successful"
}

Example 9: Request information about IPS signatures

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?type=ips'

A successful API call returns, within the Contents section, status="success" along with the details about all IPS threat signatures:

{
"success": true,
"link": {
"next": "https://api.threatvault.paloaltonetworks.com/service/v1/threats?limit=1000&offset=1000&type=ips",
"previous": null
},
"count": 27200,
"data": {
"spyware": [
{
"id": "10001",
"name": "Autorun User-Agent Traffic",
"description": "This signature detects a variety of user-agents in HTTP request headers that have been known to be used by the Autorun family of malicious software, and not known to be used by legitimate clients. The request header should be inspected to investigate the suspect user-agent. If the user-agent is atypical or unexpected, the endpoint should be inspected to determine the user-agent used to generate the request on the machine (typically malware).",
"category": "spyware",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Autorun",
"http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx",
"http://nakedsecurity.sophos.com/2011/06/15/usb-autorun-malware-on-the-wane/"
],
"status": "released",
"details": [],
"ori_release_version": "248",
"latest_release_version": "489",
"ori_release_time": "2011-05-23T14:55:16Z",
"latest_release_time": "2015-03-03T19:52:03Z"
},
{
"id": "10002",
"name": "Suspicious User-Agent Traffic",
"description": "This signature detects a variety of user-agents in HTTP request headers that have been known to be used by malicious software, and not known to be used by legitimate clients. The request header should be inspected to investigate the suspect user-agent. If the user-agent is atypical or unexpected, the endpoint should be inspected to determine the user-agent used to generate the request on the machine (typically malware).",
"category": "spyware",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": [],
"ori_release_version": "248",
"latest_release_version": "8059",
"ori_release_time": "2011-05-23T14:55:16Z",
"latest_release_time": "2018-08-30T17:35:03Z"
},
{
"id": "10003",
"name": "Palevo User-Agent Traffic",
"description": "This signature detects Palevo user-agent traffic.",
"category": "spyware",
"min_version": "8.1.0",
"max_version": "",
"severity": "medium",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [],
"status": "released",
"details": [],
"ori_release_version": "248",
"latest_release_version": "254",
"ori_release_time": "2011-05-23T14:55:16Z",
"latest_release_time": "2011-07-02T01:16:29Z"
},
==========================================================================
Shortened for brevity
==========================================================================
{
"id": "11582",
"name": "Bersek_1_0 show processes",
"description": "This signature detects the runtime behavior of the spyware Bersek 1.0.Bersek 1.0 is a trojan application. It can let a remote attacker to take control of victim's computer. The functions include file manager, processes manager, screen capture, keylogger, remote shell, etc",
"category": "keylogger",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Bersek&threatid=48628",
"http://www.megasecurity.org/trojans/b/bersek/Bersek1.0.html",
"http://www.securitylab.ru/virus/271727.php"
],
"status": "disabled",
"details": [],
"ori_release_version": "107",
"latest_release_version": "107",
"ori_release_time": "2009-02-06T00:00:00Z",
"latest_release_time": "2009-02-06T00:00:00Z"
},
{
"id": "11583",
"name": "Bersek_1_0 file manager",
"description": "This signature detects the runtime behavior of the spyware Bersek 1.0.Bersek 1.0 is a trojan application. It can let a remote attacker to take control of victim's computer. The functions include file manager, processes manager, screen capture, keylogger, remote shell, etc",
"category": "keylogger",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Bersek&threatid=48628",
"http://www.megasecurity.org/trojans/b/bersek/Bersek1.0.html",
"http://www.securitylab.ru/virus/271727.php"
],
"status": "disabled",
"details": [],
"ori_release_version": "107",
"latest_release_version": "107",
"ori_release_time": "2009-02-06T00:00:00Z",
"latest_release_time": "2009-02-06T00:00:00Z"
},
{
"id": "11584",
"name": "Bersek_1_0 init connection",
"description": "This signature detects the runtime behavior of the spyware Bersek 1.0.Bersek 1.0 is a trojan application. It can let a remote attacker to take control of victim's computer. The functions include file manager, processes manager, screen capture, keylogger, remote shell, etc",
"category": "keylogger",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "alert",
"cve": [],
"vendor": [],
"reference": [
"http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Bersek&threatid=48628",
"http://www.megasecurity.org/trojans/b/bersek/Bersek1.0.html",
"http://www.securitylab.ru/virus/271727.php"
],
"status": "disabled",
"details": [],
"ori_release_version": "107",
"latest_release_version": "107",
"ori_release_time": "2009-02-06T00:00:00Z",
"latest_release_time": "2009-02-06T00:00:00Z"