Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 10/23/2014 11:28:21 AM

CVE Publication rate: 52

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 15.21
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

CVSS v2 Vector Definitions

Every application or service that uses the Common Vulnerability Scoring System (CVSS) should provide not only the CVSS score, but also a vector describing the components from which the score was calculated. This provides users of the score confidence in its correctness and provides insight into the nature of the vulnerability.

CVSS vectors always include base metrics and may contain temporal metrics. See the CVSS standard's guide (this is the version 1.0 guide) for detailed descriptions of CVSS metrics and their possible values.

CVSS Base Vectors

CVSS vectors containing only base metrics take the following form:
(AV:[L,A,N]/AC:[H,M,L]/Au:[N,S,M]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C])

The letters within brackets represent possible values of a CVSS metric. Exactly one option must be chosen for each set of brackets. Letters not within brackets are mandatory and must be included in order to create a valid CVSS vector. Each letter or pair of letters is an abbreviation for a metric or metric value within CVSS. These abbreviations are defined below.

Example 1: (AV:L/AC:H/Au:N/C:N/I:P/A:C)
Example 2: (AV:A/AC:L/Au:M/C:C/I:N/A:P)

Metric: AV = AccessVector (Related exploit range)
Possible Values: L = Local access, A = Adjacent network, N = Network

Metric: AC = AccessComplexity (Required attack complexity)
Possible Values: H = High, M = Medium, L = Low

Metric: Au = Authentication (Level of authentication needed to exploit)
Possible Values: N= None required, S= Requires single instance, M= Requires multiple instances

Metric: C = ConfImpact (Confidentiality impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: I = IntegImpact (Integrity impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: A = AvailImpact (Availability impact)<> Possible Values: N = None, P = Partial, C = Complete

CVSS Temporal Vectors

CVSS vectors containing temporal metrics are formed by appending the temporal metrics to the base vector. The temporal metrics appended to the base vector take the following form:
/E:[U,POC,F,H,ND]/RL:[OF,T,W,U,ND]/RC:[UC,UR,C,ND]

Example 1: (AV:L/AC:H/Au:N/C:N/I:P/A:C/E:POC/RL:OF/RC:C)
Example 2: (AV:L/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR)

Metric: E = Exploitability (Availability of exploit)
Possible Values: U = Unproven, POC = Proof-of-concept, F = Functional, H = High, ND = Not Defined

Metric: RL = RemediationLevel (Type of fix available)
Possible Values: OF = Official-fix, T = Temporary-fix, W = Workaround, U = Unavailable, ND = Not Defined

Metric: RC = ReportConfidence (Level of verification that the vulnerability exists)
Possible Values: UC = Unconfirmed, UR = Uncorroborated, C = Confirmed, ND = Not Defined

CVSS Environmental Vectors

CVSS vectors containing environmental metrics are formed by appending the environmental metrics to the temporal vector. The environmental metrics appended to the temporal vector take the following form:
/CDP[N,L,LM,MH,H,ND]:/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND]

Example 1: (AV:L/AC:H/Au:N/C:N/I:P/A:C/E:POC/RL:OF/RC:C/CDP:L/TD:M/CR:L/IR:L/AR:H)
Example 2: (AV:L/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR/CDP:MH/TD:H/CR:M/IR:L/AR:M)

Metric: CDP = Collateral Damage Potential (Organization specific potential for loss)
Possible Values: N = None, L = Low, LM = Low-Medium, MH = Medium-High, H = High, ND = Not Defined

Metric: TD = Target Distribution (Percentage of vulnerable systems)
Possible Values: N = None (0%), L = Low (1-25%), M = Medium (26-75%), H = High (76-100%), ND = Not Defined

Metric: CR = System Confidentiality Requirement (draft proposal)
Possible Values: L = Low, M = Medium, H = High, ND = Not Defined

Metric: IR = System Integrity Requirement (draft proposal)
Possible Values: L = Low, M = Medium, H = High, ND = Not Defined

Metric: AR = System Availability Requirement (draft proposal)
Possible Values: L = Low, M = Medium, H = High, ND = Not Defined

CVSS Vectors and CVSS Compatible Products

CVSS compatible products may provide their users access to the NVD CVSS v2 calculator by creating a hyperlink that includes the CVSS vector and, optionally, the vulnerability name. This works for both base and temporal vectors. The hyperlinks should take one of the following forms.

Example base vector hyperlinks to CVSS calculator (with and without vulnerability name):
1. http://nvd.nist.gov/CVSS/CVSS-v2-Calculator?vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C)
2. http://nvd.nist.gov/CVSS/CVSS-v2-Calculator?name=example&vector=(AV:A/AC:L/Au:M/C:C/I:N/A:P)

Example temporal vector hyperlinks to CVSS calculator (with and without vulnerability name):
1. http://nvd.nist.gov/CVSS/CVSS-v2-Calculator?vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C/E:POC/RL:OF/RC:C)
2. http://nvd.nist.gov/CVSS/CVSS-v2-Calculator?name=example&vector=(AV:A/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR)