CVE Scanner
The CVE Scanner checks your Proxmox nodes for known security vulnerabilities by comparing installed packages against public CVE databases. It helps you identify and prioritize patching for critical vulnerabilities before they can be exploited.
Overview
ProxCenter connects to each Proxmox node via SSH, reads the list of installed Debian packages and their versions, and cross-references them against known CVE records. The results show which packages have known vulnerabilities, the severity of each CVE, and whether a patched version is available.
How It Works
- ProxCenter reads the installed package list from each node (
dpkg -l) - Package names and versions are compared against the Debian Security Tracker and NVD (National Vulnerability Database)
- Matching CVEs are returned with their severity score, description, and fix status
No software is installed on the Proxmox nodes -- the scan is read-only and non-intrusive.
Scan Results
For each node, the scanner displays:
| Field | Description |
|---|---|
| CVE ID | The unique CVE identifier (e.g., CVE-2024-1234) |
| Package | The affected Debian package name |
| Installed Version | The version currently installed on the node |
| Fixed Version | The version that resolves the vulnerability (if available) |
| Severity | CVSS score and severity level (Critical, High, Medium, Low) |
| Description | Brief description of the vulnerability |
Results can be sorted by severity, package name, or CVE date. A summary card at the top shows the total count by severity level.
Scheduling Scans
You can run scans on demand or schedule them to run automatically:
- On demand -- Click Scan Now on any node or across all nodes
- Scheduled -- Configure a recurring scan (daily, weekly) from the scanner settings
Scan results are stored historically, so you can track your patching progress over time.
After applying system updates to a node, run a new scan to verify that the patched packages are reflected in the results. The previous scan results remain available for comparison.
Filtering and Export
- Filter by severity -- Focus on critical and high vulnerabilities first
- Filter by fix status -- Show only CVEs that have a fix available (actionable items)
- Export -- Download the scan results as CSV for reporting or compliance documentation
The CVE Scanner requires SSH access to each Proxmox node. Nodes without an active SSH connection will be skipped during the scan.
The CVE Scanner is available in the Enterprise edition.
Permissions
| Permission | Description |
|---|---|
security.view | View CVE scan results |
security.manage | Run CVE scans and configure schedules |