diff --git a/schema/v5.0/CVE_JSON_5.0_schema.json b/schema/v5.0/CVE_JSON_5.0_schema.json index c838e55a9be..5b520bcf5eb 100644 --- a/schema/v5.0/CVE_JSON_5.0_schema.json +++ b/schema/v5.0/CVE_JSON_5.0_schema.json @@ -121,7 +121,7 @@ "maxLength": 2048 }, "collectionURL": { - "description": "URL identifying a package collection (determines meaning of packageName).", + "description": "URL identifying a package collection (determines the meaning of packageName).", "$ref": "#/definitions/uriType", "examples": [ "https://access.redhat.com/downloads/content/package-browser", @@ -197,7 +197,7 @@ }, "cpes": { "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", "uniqueItems": true, "items": { "title": "CPE Name", @@ -236,7 +236,7 @@ "uniqueItems": true, "items": { "type": "object", - "description": "Object describing program routine.", + "description": "An object describing program routine.", "required": [ "name" ], @@ -252,13 +252,13 @@ }, "platforms": { "title": "Platforms", - "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. Lack of this field or an empty array implies that the other fields are applicable for all relevant platforms.", + "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.", "type": "array", "minItems": 1, "uniqueItems": true, "items": { "type": "string", - "examples": ["iOS", "Android", "Windows", "macOS", "x86", "ARM", "64 bit", "Big Endian", "iPad", "Chromebook", "Docker"], + "examples": ["iOS", "Android", "Windows", "macOS", "x86", "ARM", "64 bit", "Big Endian", "iPad", "Chromebook", "Docker", "Model T"], "maxLength": 1024 } }, @@ -497,7 +497,7 @@ }, "title": { "type": "string", - "description": "A title, headline, or a brief phrase summarizing the of the CVE record. Eg., Buffer overflow in Example Soft.", + "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.", "minLength": 1, "maxLength": 256 }, @@ -848,7 +848,7 @@ "properties": { "format": { "type": "string", - "description": "Name of the score format. This provides a bit future proofing. Additional properties are not prohibited, so this will support inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV4_4, format = 'cvssV4_4', other = cvssV4_4 json object. In the future the other properties can be converted to score properties when they become part of the schema.", + "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.", "minLength": 1, "maxLength": 64 }, @@ -1146,7 +1146,7 @@ "$ref": "#/definitions/cveMetadataPublished" }, "containers": { - "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.", + "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt a minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information. The 'cna' container requires the CNA to include certain fields, while the 'adp' container does not.", "type": "object", "properties": { "cna": {"$ref": "#/definitions/cnaPublishedContainer"}, diff --git a/schema/v5.0/docs/CVE_JSON_5.0_bundled.json b/schema/v5.0/docs/CVE_JSON_5.0_bundled.json index c3098a00544..4cf417a3ece 100644 --- a/schema/v5.0/docs/CVE_JSON_5.0_bundled.json +++ b/schema/v5.0/docs/CVE_JSON_5.0_bundled.json @@ -169,7 +169,7 @@ "maxLength": 2048 }, "collectionURL": { - "description": "URL identifying a package collection (determines meaning of packageName).", + "description": "URL identifying a package collection (determines the meaning of packageName).", "$ref": "#/definitions/uriType", "examples": [ "https://access.redhat.com/downloads/content/package-browser", @@ -245,7 +245,7 @@ }, "cpes": { "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", "uniqueItems": true, "items": { "title": "CPE Name", @@ -284,7 +284,7 @@ "uniqueItems": true, "items": { "type": "object", - "description": "Object describing program routine.", + "description": "An object describing program routine.", "required": [ "name" ], @@ -300,7 +300,7 @@ }, "platforms": { "title": "Platforms", - "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technolgies, hardware models, or computing architectures. Lack of this field or an empty array implies that the other fields are applicable for all relevant platforms.", + "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.", "type": "array", "minItems": 1, "uniqueItems": true, @@ -317,7 +317,8 @@ "Big Endian", "iPad", "Chromebook", - "Docker" + "Docker", + "Model T" ], "maxLength": 1024 } @@ -582,7 +583,7 @@ }, "title": { "type": "string", - "description": "A title, headline, or a brief phrase summarizing the of the CVE record. Eg., Buffer overflow in Example Soft.", + "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.", "minLength": 1, "maxLength": 256 }, @@ -656,7 +657,7 @@ }, "replacedBy": { "type": "array", - "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because the this CVE ID was assigned to the vulnerabilities.", + "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.", "minItems": 1, "uniqueItems": true, "items": { @@ -961,7 +962,7 @@ "properties": { "format": { "type": "string", - "description": "Name of the score format. This provides a bit future proofing. Additional properties are not prohibitied, so this will support inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV4_4, format = 'cvssV4_4', other = cvssV4_4 json object. In the future the other properties can be converted to score properties when they become part of the schema.", + "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.", "minLength": 1, "maxLength": 64 }, @@ -1966,7 +1967,7 @@ "$ref": "#/definitions/cveMetadataPublished" }, "containers": { - "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.", + "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt a minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information. The 'cna' container requires the CNA to include certain fields, while the 'adp' container does not.", "type": "object", "properties": { "cna": { diff --git a/schema/v5.0/docs/index.html b/schema/v5.0/docs/index.html index c533f6c1da5..e69434f03dc 100644 --- a/schema/v5.0/docs/index.html +++ b/schema/v5.0/docs/index.html @@ -1,9 +1,9 @@ -
cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at the official website. This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema here.
When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.
No Additional PropertiesIndicates the type of information represented in the JSON instance.
The version of the schema being used. Used to support multiple versions of this format.
This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional PropertiesThe CVE identifier that this record pertains to.
Must match regular expression:^CVE-[0-9]{4}-[0-9]{4,19}$
The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service.
Must match regular expression:^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
The short name for the organization to which the CVE ID was originally assigned.
Must be at least 2
characters long
Must be at most 32
characters long
The date/time the record was last updated.
Must match regular expression:^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$
The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition.
Value must be greater or equal to 1
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as dateUpdatedThe date/time the CVE Record was first published in the CVE List.
Same definition as dateUpdatedState of CVE - PUBLISHED, REJECTED.
A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.
At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.
An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.
No Additional PropertiesDetails related to the information container provider (CNA or ADP).
The container provider's organizational short name.
Same definition as assignerShortNameTimestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission.
Same definition as dateUpdatedThe date/time this CVE ID was associated with a vulnerability by a CNA.
Same definition as dateUpdatedIf known, the date/time the vulnerability was disclosed publicly.
Same definition as dateUpdatedA title, headline, or a brief phrase summarizing the of the CVE record. Eg., Buffer overflow in Example Soft.
Must be at least 1
characters long
Must be at most 256
characters long
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
No Additional PropertiesBCP 47 language code, language-region.
Must match regular expression:^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
Plain text description.
Must be at least 1
characters long
Must be at most 4096
characters long
Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.
Must contain a minimum of 1
items
All items must be unique
RFC2046 compliant IANA Media type for eg., text/markdown, text/html.
Must be at least 1
characters long
Must be at most 256
characters long
"text/markdown"
+ CVE JSON record format CVE JSON record format
cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at the official website. This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema here.
Type: object
When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.
No Additional Properties
Type: enum (of string)
Indicates the type of information represented in the JSON instance.
Must be one of:
- "CVE_RECORD"
Type: enum (of string)
The version of the schema being used. Used to support multiple versions of this format.
Must be one of:
- "5.0"
Type: object
This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional Properties
Type: string
The CVE identifier that this record pertains to.
Must match regular expression: ^CVE-[0-9]{4}-[0-9]{4,19}$
Type: string
The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service.
Must match regular expression: ^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
Type: string
The short name for the organization to which the CVE ID was originally assigned.
Must be at least 2
characters long
Must be at most 32
characters long
Type: string
The date/time the record was last updated.
Must match regular expression: ^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$
Type: integer
The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition.
Value must be greater or equal to 1
Type: string
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as dateUpdated
Type: string
The date/time the CVE Record was first published in the CVE List.
Same definition as dateUpdated
Type: enum (of string)
State of CVE - PUBLISHED, REJECTED.
Must be one of:
- "PUBLISHED"
Type: object
A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.
At a minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information. The 'cna' container requires the CNA to include certain fields, while the 'adp' container does not.
No Additional Properties
Type: object
An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.
No Additional Properties
Type: object
Details related to the information container provider (CNA or ADP).
Type: string
The container provider's organizational short name.
Same definition as assignerShortName
Type: string
Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission.
Same definition as dateUpdated
Type: string
The date/time this CVE ID was associated with a vulnerability by a CNA.
Same definition as dateUpdated
Type: string
If known, the date/time the vulnerability was disclosed publicly.
Same definition as dateUpdated
Type: string
A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.
Must be at least 1
characters long
Must be at most 256
characters long
Type: array
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
No Additional Properties
Type: string Default: "en"
BCP 47 language code, language-region.
Must match regular expression: ^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
Type: string
Plain text description.
Must be at least 1
characters long
Must be at most 4096
characters long
Type: array of object
Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Type: string
RFC2046 compliant IANA Media type for eg., text/markdown, text/html.
Must be at least 1
characters long
Must be at most 256
characters long
Examples:
"text/markdown"
"text/html"
"image/png"
"image/svg"
"audio/mp3"
-
Type: boolean Default: false
If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.
Type: string
Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.
Must be at least 1
characters long
Must be at most 16384
characters long
At least one of the items must be:
Type: object
A description with lang set to an English language (en, enUS, enUK, and so on).
Type: string
BCP 47 language code, language-region, required to be English.
Must match regular expression: ^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
Type: array
List of affected products.
Must contain a minimum of 1
items
Each item of this array must be:
Type: object
Provides information about the set of products and services affected by this vulnerability.
Type: object
The following properties are required:
- product
- vendor
Type: object
The following properties are required:
- packageName
- collectionURL
Type: object
The following properties are required:
- versions
Type: object
The following properties are required:
- defaultStatus
Type: string
Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.
Must be at least 1
characters long
Must be at most 512
characters long
Type: string
Name of the affected product.
Must be at least 1
characters long
Must be at most 2048
characters long
Type: string
URL identifying a package collection (determines meaning of packageName).
Must be at least 1
characters long
Must be at most 2048
characters long
Examples:
"https://access.redhat.com/downloads/content/package-browser"
+
Type: boolean Default: false
If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.
Type: string
Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.
Must be at least 1
characters long
Must be at most 16384
characters long
At least one of the items must be:
Type: object
A description with lang set to an English language (en, enUS, enUK, and so on).
Type: string
BCP 47 language code, language-region, required to be English.
Must match regular expression: ^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
Type: array
List of affected products.
Must contain a minimum of 1
items
Each item of this array must be:
Type: object
Provides information about the set of products and services affected by this vulnerability.
Type: object
The following properties are required:
- vendor
- product
Type: object
The following properties are required:
- packageName
- collectionURL
Type: object
The following properties are required:
- versions
Type: object
The following properties are required:
- defaultStatus
Type: string
Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.
Must be at least 1
characters long
Must be at most 512
characters long
Type: string
Name of the affected product.
Must be at least 1
characters long
Must be at most 2048
characters long
Type: string
URL identifying a package collection (determines the meaning of packageName).
Must be at least 1
characters long
Must be at most 2048
characters long
Examples:
"https://access.redhat.com/downloads/content/package-browser"
"https://addons.mozilla.org"
"https://addons.thunderbird.net"
"https://anaconda.org/anaconda/repo"
@@ -66,7 +66,7 @@
"https://search.nixos.org/packages"
"https://sourceforge.net"
"https://wordpress.org/plugins"
-
Type: string
Name or identifier of the affected software package as used in the package collection.
Must be at least 1
characters long
Must be at most 2048
characters long
Type: array of string
Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as "Product X between versions 10.2 and 10.8" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.
All items must be unique
Each item of this array must be:
Type: string
Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format
Must match regular expression: ([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\-~%]*){0,6})|(cpe:2\.3:[aho*\-](:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){4})
Must be at least 1
characters long
Must be at most 2048
characters long
Type: array of string
A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).
All items must be unique
Each item of this array must be:
Type: string
Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).
Must be at least 1
characters long
Must be at most 4096
characters long
Type: array of string
A list of the affected source code files (optional).
All items must be unique
Each item of this array must be:
Type: string
Name or path or location of the affected source code file.
Must be at least 1
characters long
Must be at most 1024
characters long
Type: array of object
A list of the affected source code functions, methods, subroutines, or procedures (optional).
All items must be unique
Each item of this array must be:
Type: object
Object describing program routine.
Type: string
Name of the affected source code file, function, method, subroutine, or procedure.
Must be at least 1
characters long
Must be at most 4096
characters long
Type: array of string
List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technolgies, hardware models, or computing architectures. Lack of this field or an empty array implies that the other fields are applicable for all relevant platforms.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: string
Must be at most 1024
characters long
Examples:
"iOS"
+
Type: string
Name or identifier of the affected software package as used in the package collection.
Must be at least 1
characters long
Must be at most 2048
characters long
Type: array of string
Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as "Product X between versions 10.2 and 10.8" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.
All items must be unique
Each item of this array must be:
Type: string
Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format
Must match regular expression: ([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\-~%]*){0,6})|(cpe:2\.3:[aho*\-](:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){4})
Must be at least 1
characters long
Must be at most 2048
characters long
Type: array of string
A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).
All items must be unique
Each item of this array must be:
Type: string
Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).
Must be at least 1
characters long
Must be at most 4096
characters long
Type: array of string
A list of the affected source code files (optional).
All items must be unique
Each item of this array must be:
Type: string
Name or path or location of the affected source code file.
Must be at least 1
characters long
Must be at most 1024
characters long
Type: array of object
A list of the affected source code functions, methods, subroutines, or procedures (optional).
All items must be unique
Each item of this array must be:
Type: object
An object describing program routine.
Type: string
Name of the affected source code file, function, method, subroutine, or procedure.
Must be at least 1
characters long
Must be at most 4096
characters long
Type: array of string
List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: string
Must be at most 1024
characters long
Examples:
"iOS"
"Android"
"Windows"
"macOS"
@@ -77,6 +77,7 @@
"iPad"
"Chromebook"
"Docker"
+
"Model T"
Type: string
The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.
Same definition as collectionURL
Type: enum (of string)
The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.
Must be one of:
- "affected"
- "unaffected"
- "unknown"
Type: array of object
Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules 8.1.2 requirement. Versions or defaultStatus may be omitted, but not both.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
A single version or a range of versions, with vulnerability status.
An entry with only 'version' and 'status' indicates the status of a single version.
Otherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.
The algorithm to decide the status specified for a version V is:
for entry in product.versions {
if entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {
return entry.status
@@ -93,10 +94,10 @@
}
}
return product.defaultStatus
-
.
Type: object
The following properties are required:
- status
- version
Type: object
The following properties are required:
- lessThan
Type: object
The following properties are required:
- lessThanOrEqual
The following properties are required:
- versionType
- status
- version
Type: string
The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.
Must be at least 1
characters long
Must be at most 1024
characters long
Type: enum (of string)
The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.
Same definition as defaultStatus
Type: string
The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.
Must be at least 1
characters long
Must be at most 128
characters long
Examples:
"custom"
+
.
Type: object
The following properties are required:
- version
- status
Type: object
The following properties are required:
- lessThan
Type: object
The following properties are required:
- lessThanOrEqual
The following properties are required:
- version
- versionType
- status
Type: string
The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.
Must be at least 1
characters long
Must be at most 1024
characters long
Type: enum (of string)
The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.
Same definition as defaultStatus
Type: string
The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.
Must be at least 1
characters long
Must be at most 128
characters long
Examples:
"custom"
"git"
"maven"
"python"
"rpm"
"semver"
-
Type: string
The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk (*)
, indicating an arbitrarily large number in the version ordering. For example, {version: 1.0 lessThan: 1.*}
would describe the entire 1.X branch for most range kinds, and {version: 2.0, lessThan: *}
describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.
Same definition as version
Type: string
The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, {version: 1.0, lessThanOrEqual: 1.3}
covers all versions from 1.0 up to and including 1.3.
Same definition as version
Type: array of object
A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
The start of a single status change during the range.
Type: enum (of string)
The new status in the range starting at the given version.
Same definition as defaultStatus
Type: array of object
This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Type: array of object
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Type: string
Text description of problemType, or title from CWE or OWASP.
Must be at least 1
characters long
Must be at most 4096
characters long
Type: string
CWE ID of the CWE that best describes this problemType entry.
Must match regular expression: ^CWE-[1-9][0-9]*$
Must be at least 5
characters long
Must be at most 9
characters long
Type: string
Problemtype source, text, OWASP, CWE, etc.,
Must be at least 1
characters long
Must be at most 128
characters long
Type: array
This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").
Same definition as references
Type: array
This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").
Must contain a minimum of 1
items
Must contain a maximum of 512
items
All items must be unique
Each item of this array must be:
Type: object
Type: string
The uniform resource locator (URL), according to RFC 3986, that can be used to retrieve the referenced resource.
Same definition as collectionURL
Type: string
User created name for the reference, often the title of the page.
Must be at least 1
characters long
Must be at most 512
characters long
Type: array of object
Collection of impacts of this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
This is impact type information (e.g. a text description.
Type: string
CAPEC ID that best relates to this impact.
Must match regular expression: ^CAPEC-[1-9][0-9]{0,4}$
Must be at least 7
characters long
Must be at most 11
characters long
Type: array
Prose description of the impact scenario. At a minimum provide the description given by CAPEC.
Same definition as descriptions
Type: array of object
Collection of impact scores with attribution.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
This is impact type information (e.g. a text description, CVSSv2, CVSSv3, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.
Type: object
The following properties are required:
- cvssV3_1
Type: object
The following properties are required:
- cvssV3_0
Type: object
The following properties are required:
- cvssV2_0
Type: object
The following properties are required:
- other
Type: string
Name of the score format. This provides a bit future proofing. Additional properties are not prohibitied, so this will support inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 json object. In the future the other properties can be converted to score properties when they become part of the schema.
Must be at least 1
characters long
Must be at most 64
characters long
Type: array of object
Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Type: string Default: "GENERAL"
Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.
Must be at least 1
characters long
Must be at most 4096
characters long
Type: object
Type: enum (of string)
CVSS Version
Must be one of:
- "3.1"
Type: string
Must match regular expression: ^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$
Type: enum (of string)
Must be one of:
- "NETWORK"
- "ADJACENT_NETWORK"
- "LOCAL"
- "PHYSICAL"
Type: enum (of string)
Must be one of:
- "HIGH"
- "LOW"
Type: enum (of string)
Must be one of:
- "HIGH"
- "LOW"
- "NONE"
Type: enum (of string)
Must be one of:
- "NONE"
- "REQUIRED"
Type: enum (of string)
Must be one of:
- "UNCHANGED"
- "CHANGED"
Type: enum (of string)
Must be one of:
- "NONE"
- "LOW"
- "HIGH"
Type: number
Value must be greater or equal to 0
and lesser or equal to 10
Type: enum (of string)
Must be one of:
- "NONE"
- "LOW"
- "MEDIUM"
- "HIGH"
- "CRITICAL"
Type: enum (of string)
Must be one of:
- "UNPROVEN"
- "PROOF_OF_CONCEPT"
- "FUNCTIONAL"
- "HIGH"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "OFFICIAL_FIX"
- "TEMPORARY_FIX"
- "WORKAROUND"
- "UNAVAILABLE"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "UNKNOWN"
- "REASONABLE"
- "CONFIRMED"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "LOW"
- "MEDIUM"
- "HIGH"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "NETWORK"
- "ADJACENT_NETWORK"
- "LOCAL"
- "PHYSICAL"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "HIGH"
- "LOW"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "HIGH"
- "LOW"
- "NONE"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "NONE"
- "REQUIRED"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "UNCHANGED"
- "CHANGED"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "NONE"
- "LOW"
- "HIGH"
- "NOT_DEFINED"
Type: object
Type: enum (of string)
CVSS Version
Must be one of:
- "3.0"
Type: string
Must match regular expression: ^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$
Type: enum (of string)
Must be one of:
- "NETWORK"
- "ADJACENT_NETWORK"
- "LOCAL"
- "PHYSICAL"
Type: enum (of string)
Must be one of:
- "HIGH"
- "LOW"
Type: enum (of string)
Must be one of:
- "HIGH"
- "LOW"
- "NONE"
Type: enum (of string)
Must be one of:
- "NONE"
- "REQUIRED"
Type: enum (of string)
Must be one of:
- "UNCHANGED"
- "CHANGED"
Type: enum (of string)
Must be one of:
- "NONE"
- "LOW"
- "HIGH"
Type: number
Value must be greater or equal to 0
and lesser or equal to 10
Type: enum (of string)
Must be one of:
- "NONE"
- "LOW"
- "MEDIUM"
- "HIGH"
- "CRITICAL"
Type: enum (of string)
Must be one of:
- "UNPROVEN"
- "PROOF_OF_CONCEPT"
- "FUNCTIONAL"
- "HIGH"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "OFFICIAL_FIX"
- "TEMPORARY_FIX"
- "WORKAROUND"
- "UNAVAILABLE"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "UNKNOWN"
- "REASONABLE"
- "CONFIRMED"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "LOW"
- "MEDIUM"
- "HIGH"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "NETWORK"
- "ADJACENT_NETWORK"
- "LOCAL"
- "PHYSICAL"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "HIGH"
- "LOW"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "HIGH"
- "LOW"
- "NONE"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "NONE"
- "REQUIRED"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "UNCHANGED"
- "CHANGED"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "NONE"
- "LOW"
- "HIGH"
- "NOT_DEFINED"
Type: object
Type: enum (of string)
CVSS Version
Must be one of:
- "2.0"
Type: string
Must match regular expression: ^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$
Type: enum (of string)
Must be one of:
- "NETWORK"
- "ADJACENT_NETWORK"
- "LOCAL"
Type: enum (of string)
Must be one of:
- "HIGH"
- "MEDIUM"
- "LOW"
Type: enum (of string)
Must be one of:
- "MULTIPLE"
- "SINGLE"
- "NONE"
Type: enum (of string)
Must be one of:
- "NONE"
- "PARTIAL"
- "COMPLETE"
Type: number
Value must be greater or equal to 0
and lesser or equal to 10
Type: enum (of string)
Must be one of:
- "UNPROVEN"
- "PROOF_OF_CONCEPT"
- "FUNCTIONAL"
- "HIGH"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "OFFICIAL_FIX"
- "TEMPORARY_FIX"
- "WORKAROUND"
- "UNAVAILABLE"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "UNCONFIRMED"
- "UNCORROBORATED"
- "CONFIRMED"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "NONE"
- "LOW"
- "LOW_MEDIUM"
- "MEDIUM_HIGH"
- "HIGH"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "NONE"
- "LOW"
- "MEDIUM"
- "HIGH"
- "NOT_DEFINED"
Type: enum (of string)
Must be one of:
- "LOW"
- "MEDIUM"
- "HIGH"
- "NOT_DEFINED"
Type: object
A non-standard impact description, may be prose or JSON block.
Type: string
Name of the non-standard impact metrics format used.
Must be at least 1
characters long
Must be at most 128
characters long
Type: object
JSON object not covered by another metrics format.
Type: array
Configurations required for exploiting this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as description
Type: array
Workarounds and mitigations for this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as description
Type: array
Information about solutions or remediations available for this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as description
Type: array
Information about exploits of the vulnerability.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as description
Type: array of object
This is timeline information for significant events about this vulnerability or changes to the CVE Record.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Type: string
Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ssZZZZ - if the timezone offset is not given, GMT (0000) is assumed.
Same definition as dateUpdated
Type: string Default: "en"
The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.
Same definition as lang
Type: string
A summary of the event.
Must be at least 1
characters long
Must be at most 4096
characters long
Type: array of object
Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Type: string Default: "en"
The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.
Same definition as lang
Type: string
Must be at least 1
characters long
Must be at most 4096
characters long
Type: string
UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.
Same definition as assignerOrgId
Type: enum (of string) Default: "finder"
Type or role of the entity being credited (optional). finder: identifies the vulnerability.
reporter: notifies the vendor of the vulnerability to a CNA.
analyst: validates the vulnerability to ensure accuracy or severity.
coordinator: facilitates the coordinated response process.
remediation developer: prepares a code change or other remediation plans.
remediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.
remediation verifier: tests and verifies the vulnerability or its remediation.
tool: names of tools used in vulnerability discovery or identification.
sponsor: supports the vulnerability identification or remediation activities.
Must be one of:
- "finder"
- "reporter"
- "analyst"
- "coordinator"
- "remediation developer"
- "remediation reviewer"
- "remediation verifier"
- "tool"
- "sponsor"
- "other"
Type: object
This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.
Type: array of object
List of taxonomy items related to the vulnerability.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
Type: string
The name of the taxonomy.
Must be at least 1
characters long
Must be at most 128
characters long
Type: string
The version of taxonomy the identifiers come from.
Must be at least 1
characters long
Must be at most 128
characters long
Type: array of object
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
List of relationships to the taxonomy for the vulnerability. Relationships can be between the taxonomy and the CVE or two taxonomy items.
Type: string
Identifier of the item in the taxonomy. Used as the subject of the relationship.
Must be at least 1
characters long
Must be at most 2048
characters long
Type: string
A description of the relationship.
Must be at least 1
characters long
Must be at most 128
characters long
Type: string
The target of the relationship. Can be the CVE ID or another taxonomy identifier.
Must be at least 1
characters long
Must be at most 2048
characters long
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression: ^x_[^.]*$
Type: object
Type: array
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
Type: object
An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.
No Additional Properties
Type: object
Details related to the information container provider (CNA or ADP).
Same definition as providerMetadata
Type: string
If known, the date/time the vulnerability was disclosed publicly.
Same definition as dateUpdated
Type: string
A title, headline, or a brief phrase summarizing the information in an ADP container.
Must be at least 1
characters long
Must be at most 256
characters long
Type: array
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Same definition as descriptions
Type: array of object
This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).
Same definition as problemTypes
Type: array
This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").
Same definition as references
Type: array
Configurations required for exploiting this vulnerability.
Same definition as configurations
Type: array
Information about solutions or remediations available for this vulnerability.
Same definition as solutions
Type: array of object
This is timeline information for significant events about this vulnerability or changes to the CVE Record.
Same definition as timeline
Type: array of object
Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.
Same definition as credits
Type: object
This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.
Same definition as source
Type: array of object
List of taxonomy items related to the vulnerability.
Same definition as taxonomyMappings
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression: ^x_[^.]*$
Type: object
Type: object
If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.
No Additional Properties
Type: enum (of string)
Indicates the type of information represented in the JSON instance.
Same definition as dataType
Type: enum (of string)
The version of the schema being used. Used to support multiple versions of this format.
Same definition as dataVersion
Type: object
This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional Properties
Type: string
The UUID for the organization to which the CVE ID was originally assigned.
Same definition as assignerOrgId
Type: string
The short name for the organization to which the CVE ID was originally assigned.
Same definition as assignerShortName
Type: integer
The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition.
Value must be greater or equal to 1
Type: string
The date/time the CVE Record was first published in the CVE List.
Same definition as dateUpdated
Type: enum (of string)
State of CVE - PUBLISHED, REJECTED.
Must be one of:
- "REJECTED"
Type: string
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as dateUpdated
Type: object
A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.
At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA.
No Additional Properties
Type: object
An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.
No Additional Properties
Type: object
Details related to the information container provider (CNA or ADP).
Same definition as providerMetadata
Type: array
Contains an array of CVE IDs that this CVE ID was rejected in favor of because the this CVE ID was assigned to the vulnerabilities.
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression: ^x_[^.]*$
Type: object
\ No newline at end of file
+
The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk (*)
, indicating an arbitrarily large number in the version ordering. For example, {version: 1.0 lessThan: 1.*}
would describe the entire 1.X branch for most range kinds, and {version: 2.0, lessThan: *}
describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.
The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, {version: 1.0, lessThanOrEqual: 1.3}
covers all versions from 1.0 up to and including 1.3.
A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.
Must contain a minimum of 1
items
All items must be unique
The start of a single status change during the range.
The new status in the range starting at the given version.
Same definition as defaultStatusThis is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).
Must contain a minimum of 1
items
All items must be unique
Must contain a minimum of 1
items
All items must be unique
Text description of problemType, or title from CWE or OWASP.
Must be at least 1
characters long
Must be at most 4096
characters long
CWE ID of the CWE that best describes this problemType entry.
Must match regular expression:^CWE-[1-9][0-9]*$
Must be at least 5
characters long
Must be at most 9
characters long
Problemtype source, text, OWASP, CWE, etc.,
Must be at least 1
characters long
Must be at most 128
characters long
This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").
Same definition as referencesThis is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").
Must contain a minimum of 1
items
Must contain a maximum of 512
items
All items must be unique
The uniform resource locator (URL), according to RFC 3986, that can be used to retrieve the referenced resource.
Same definition as collectionURLUser created name for the reference, often the title of the page.
Must be at least 1
characters long
Must be at most 512
characters long
Collection of impacts of this vulnerability.
Must contain a minimum of 1
items
All items must be unique
This is impact type information (e.g. a text description.
CAPEC ID that best relates to this impact.
Must match regular expression:^CAPEC-[1-9][0-9]{0,4}$
Must be at least 7
characters long
Must be at most 11
characters long
Prose description of the impact scenario. At a minimum provide the description given by CAPEC.
Same definition as descriptionsCollection of impact scores with attribution.
Must contain a minimum of 1
items
All items must be unique
This is impact type information (e.g. a text description, CVSSv2, CVSSv3, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.
Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.
Must be at least 1
characters long
Must be at most 64
characters long
Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.
Must contain a minimum of 1
items
All items must be unique
Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.
Must be at least 1
characters long
Must be at most 4096
characters long
CVSS Version
^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$
Value must be greater or equal to 0
and lesser or equal to 10
CVSS Version
^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$
Value must be greater or equal to 0
and lesser or equal to 10
CVSS Version
^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$
Value must be greater or equal to 0
and lesser or equal to 10
A non-standard impact description, may be prose or JSON block.
Name of the non-standard impact metrics format used.
Must be at least 1
characters long
Must be at most 128
characters long
JSON object not covered by another metrics format.
Configurations required for exploiting this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as descriptionWorkarounds and mitigations for this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as descriptionInformation about solutions or remediations available for this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as descriptionInformation about exploits of the vulnerability.
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as descriptionThis is timeline information for significant events about this vulnerability or changes to the CVE Record.
Must contain a minimum of 1
items
All items must be unique
Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ssZZZZ - if the timezone offset is not given, GMT (0000) is assumed.
Same definition as dateUpdatedThe language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.
Same definition as langA summary of the event.
Must be at least 1
characters long
Must be at most 4096
characters long
Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.
Must contain a minimum of 1
items
All items must be unique
The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.
Same definition as langMust be at least 1
characters long
Must be at most 4096
characters long
UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.
Same definition as assignerOrgIdType or role of the entity being credited (optional). finder: identifies the vulnerability.
reporter: notifies the vendor of the vulnerability to a CNA.
analyst: validates the vulnerability to ensure accuracy or severity.
coordinator: facilitates the coordinated response process.
remediation developer: prepares a code change or other remediation plans.
remediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.
remediation verifier: tests and verifies the vulnerability or its remediation.
tool: names of tools used in vulnerability discovery or identification.
sponsor: supports the vulnerability identification or remediation activities.
This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.
List of taxonomy items related to the vulnerability.
Must contain a minimum of 1
items
All items must be unique
The name of the taxonomy.
Must be at least 1
characters long
Must be at most 128
characters long
The version of taxonomy the identifiers come from.
Must be at least 1
characters long
Must be at most 128
characters long
Must contain a minimum of 1
items
All items must be unique
List of relationships to the taxonomy for the vulnerability. Relationships can be between the taxonomy and the CVE or two taxonomy items.
Identifier of the item in the taxonomy. Used as the subject of the relationship.
Must be at least 1
characters long
Must be at most 2048
characters long
A description of the relationship.
Must be at least 1
characters long
Must be at most 128
characters long
The target of the relationship. Can be the CVE ID or another taxonomy identifier.
Must be at least 1
characters long
Must be at most 2048
characters long
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression:^x_[^.]*$
Must contain a minimum of 1
items
All items must be unique
An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.
No Additional PropertiesDetails related to the information container provider (CNA or ADP).
Same definition as providerMetadataIf known, the date/time the vulnerability was disclosed publicly.
Same definition as dateUpdatedA title, headline, or a brief phrase summarizing the information in an ADP container.
Must be at least 1
characters long
Must be at most 256
characters long
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Same definition as descriptionsThis is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).
Same definition as problemTypesThis is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").
Same definition as referencesConfigurations required for exploiting this vulnerability.
Same definition as configurationsInformation about solutions or remediations available for this vulnerability.
Same definition as solutionsThis is timeline information for significant events about this vulnerability or changes to the CVE Record.
Same definition as timelineStatements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.
Same definition as creditsThis is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.
List of taxonomy items related to the vulnerability.
Same definition as taxonomyMappingsAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:^x_[^.]*$
If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.
No Additional PropertiesIndicates the type of information represented in the JSON instance.
Same definition as dataTypeThe version of the schema being used. Used to support multiple versions of this format.
Same definition as dataVersionThis is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional PropertiesThe UUID for the organization to which the CVE ID was originally assigned.
Same definition as assignerOrgIdThe short name for the organization to which the CVE ID was originally assigned.
Same definition as assignerShortNameThe system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition.
Value must be greater or equal to 1
The date/time the CVE Record was first published in the CVE List.
Same definition as dateUpdatedState of CVE - PUBLISHED, REJECTED.
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as dateUpdatedA set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.
At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA.
An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.
No Additional PropertiesDetails related to the information container provider (CNA or ADP).
Same definition as providerMetadataContains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.
Must contain a minimum of 1
items
All items must be unique
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression:^x_[^.]*$