docs/ref/modules/vulnerability-scanner/api-reference.md
The Vulnerability Scanner module indexes package and operating system vulnerabilities data into a dedicated index within the Wazuh-indexer (OpenSearch). So the information can be retrieved by using the Opensearch API.
For a quick reference, the vulnerabilities can be retrieved using the GET /wazuh-states-vulnerabilities/_search endpoint.
wazuh-states-vulnerabilities using bulk upserts and deletes.<agentId>_<packageInventoryId>_<cveId>.<agentId>_<osName>_<osVersion>_<cveId>.host.os.full is built from OS name + version (macOS uses codename).host.os.version is built from major.minor.patch.build, not the raw OS version string.package.* is populated with OS data to represent the affected component.package.path and package.type are indexed as "" when empty, and queries use "" for those fields.@timestamp and event.* are intentionally not set in indexed documents because the mapping is strict.Below there are some examples of indexed vulnerabilities following the ECS
{
"_index": "wazuh-states-vulnerabilities",
"_id": "001_9ad9d4c11defa663706b9812ffdf99572e969058_CVE-2016-2781",
"_score": 1,
"_source": {
"agent": {
"id": "001",
"name": "1495da319fdc",
"type": "Wazuh",
"version": "v4.11.2"
},
"host": {
"os": {
"full": "Ubuntu 22.04.5 LTS (Jammy Jellyfish)",
"kernel": "5.15.0-138-generic",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "ubuntu",
"version": "22.04.5"
}
},
"package": {
"architecture": "amd64",
"description": "GNU core utilities",
"name": "coreutils",
"size": 7282688,
"type": "deb",
"version": "8.32-4.1ubuntu1.2"
},
"vulnerability": {
"category": "Packages",
"classification": "-",
"description": "chroot in GNU coreutils, when used with --userspec, allows local users toescape to the parent session via a crafted TIOCSTI ioctl call, which pushescharacters to the terminal's input buffer.",
"detected_at": "2025-05-05T19:04:19.577Z",
"enumeration": "CVE",
"id": "CVE-2016-2781",
"published_at": "2017-02-07T15:59:00Z",
"reference": "https://ubuntu.com/security/CVE-2016-2781, https://www.cve.org/CVERecord?id=CVE-2016-2781",
"scanner": {
"condition": "Package default status",
"reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2016-2781",
"source": "Canonical Security Tracker",
"vendor": "Wazuh"
},
"score": {
"base": 6.5,
"version": "3.0"
},
"severity": "Medium",
"under_evaluation": false
},
"wazuh": {
"cluster": {
"name": "jammy"
},
"schema": {
"version": "1.0.0"
}
}
}
}
{
"_index": "wazuh-states-vulnerabilities",
"_id": "002_f660c0f64f48a92f0afe744f658e223bd5238bf1_CVE-2022-3219",
"_score": 1,
"_source": {
"agent": {
"id": "002",
"name": "5abe6b9cecda",
"type": "Wazuh",
"version": "v4.11.2"
},
"host": {
"os": {
"full": "CentOS Linux 8.4.2105",
"kernel": "5.15.0-138-generic",
"name": "CentOS Linux",
"platform": "centos",
"type": "centos",
"version": "8.4.2105"
}
},
"package": {
"architecture": "x86_64",
"description": "Utility for secure communication and data storage",
"installed": "2021-09-15T14:17:36.000Z",
"name": "gnupg2",
"size": 9923131,
"type": "rpm",
"version": "2.2.20-2.el8"
},
"vulnerability": {
"category": "Packages",
"classification": "-",
"description": "DOCUMENTATION: A vulnerability was found in GnuPG. GnuPG can spin on a relatively small input by crafting a public key with thousands of signatures attached and compressed down to a few kilobytes. This issue can potentially cause a denial of service.",
"detected_at": "2025-05-05T19:04:20.037Z",
"enumeration": "CVE",
"id": "CVE-2022-3219",
"published_at": "2023-02-23T20:15:12Z",
"reference": "https://access.redhat.com/security/cve/CVE-2022-3219",
"scanner": {
"condition": "Package default status",
"reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2022-3219",
"source": "Red Hat CVE Database",
"vendor": "Wazuh"
},
"score": {
"base": 6.2,
"version": "3.1"
},
"severity": "Medium",
"under_evaluation": false
},
"wazuh": {
"cluster": {
"name": "jammy"
},
"schema": {
"version": "1.0.0"
}
}
}
}
{
"_index": "wazuh-states-vulnerabilities",
"_id": "003_Microsoft Windows Server 2019 Datacenter Evaluation_CVE-2024-43558",
"_score": 1,
"_source": {
"agent": {
"id": "003",
"name": "vagrant",
"type": "Wazuh",
"version": "v4.11.2"
},
"host": {
"os": {
"full": "Microsoft Windows Server 2019 Datacenter Evaluation 10.0.17763.1935",
"name": "Microsoft Windows Server 2019 Datacenter Evaluation",
"platform": "windows",
"type": "windows",
"version": "10.0.17763.1935"
}
},
"package": {
"architecture": "x86_64",
"name": "Microsoft Windows Server 2019 Datacenter Evaluation 10.0.17763.1935",
"type": "windows",
"version": "10.0.17763.1935"
},
"vulnerability": {
"category": "OS",
"classification": "CVSS",
"description": "Windows Mobile Broadband Driver Denial of Service Vulnerability",
"detected_at": "2025-05-05T19:23:53.627Z",
"enumeration": "CVE",
"id": "CVE-2024-43558",
"published_at": "2024-10-08T18:15:22Z",
"reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43558",
"scanner": {
"condition": "Package less than 10.0.17763.6414",
"reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2024-43558",
"source": "National Vulnerability Database",
"vendor": "Wazuh"
},
"score": {
"base": 6.5,
"version": "3.1"
},
"severity": "Medium",
"under_evaluation": false
},
"wazuh": {
"cluster": {
"name": "jammy"
},
"schema": {
"version": "1.0.0"
}
}
}
}