NVD XML Feed Documentation

This page is a legend for the NVD XML feeds available at http://nvd.nist.gov/download.cfm. This page is intended to be more clear and readable than the comments in the NVD XML Schema and DTD files.

The table below explains the meaning and usage of each of the element tags in NVD XML feeds. The first column is the name of the element and indicates whether or not it is required to appear in the feed document. The second column describes the element. The third column lists and describes each of the attributes of the element and their meanings. The fourth column lists each of its child elements in the order in which they appear in the feed. The data types for attributes are not explicitly described in this file. Please refer to the NVD XML Schema or DTD file for those specific details

Note: Each CVE entry within the NVD XML feed is designed to be minimally compatible with the CVE XML feed in that it will contain all of the same elements and attributes as a CVE XML feed. This feature allows for CVE XML parsers to also be able to handle NVD XML feeds. For more information about CVE, please visit http://cve.mitre.org

Alphabetical Index of NVD XML elements:
access avail conf config desc descript design entry env exception impact impacts input int local loss_types nvd other prod race range ref refs remote sec_prot sol sols user_init vers vuln_soft vuln_types

Element Name	Element Description	Attributes (required?)	Child Elements (# of occurences)
nvd	Root element.	nvd_xml_version (required): the schema and DTD version number currently supported by the XML feed pub_date (required): the date the XML feed was compiled	entry (0 or more)
entry	Root element for each CVE entry.	type (required): Indicates whether this vulnerability has a CVE or CAN name (e.g. matches regular expression "(CAN|CVE)") name (required): This vulnerability's full CVE name (e.g. matches regular expression "(CAN|CVE)-/d/d/d/d-/d/d/d/d") seq (required): This vulnerability's sequence number; same as the "name" attribute stripped of "(CAN|CVE)-" prefix nvd_name: This vulnerability's NVD name (if it exists; NVD has yet to employ its own naming scheme, but this attribute is included to facilitate the development of such a scheme) discovered: The date on which this vulnerability was discovered, if available. Matches NVD Date Format Mask published (required): The date on which this vulnerability was published in NVD. Matches NVD Date Format Mask modified: The date on which this vulnerability was last modified. Matches NVD Date Format Mask severity: The severity of this vulnerability, as determined by NVD analysts ("High", "Medium", or "Low") CVSS_version: The CVSS version indicator CVSS_base_score: The CVSS base score of this vulnerability (0.0-10.0) CVSS_impact_score: The CVSS impact subscore score of this vulnerability (0.0-10.0) CVSS_exploit_score: The CVSS exploit subscore of this vulnerability (0.0-10.0) CVSS_vector: The CVSS base vector that contains the attributes used to calculate the CVSS base score reject: Indicates that this vulnerability name has been rejected from the CVE dictionary (always has value "1")	desc (exactly 1) impacts (0 or 1) sols (0 or 1) loss_types (0 or 1) vuln_types (0 or 1) range (0 or 1) refs (exactly 1) vuln_soft (0 or 1)
desc	Wrapper tag for all documented descriptions of this vulnerability.	None	descript (0 to 2)
descript	Contains a description of this vulnerability as published by the source indicated in the "source" attribute. Currently, the only description sources in NVD are CVE and NVD.	source (required): The source ("nvd" or "cve") of this vulnerability description	Text containing a description of this vulnerability
impacts	Wrapper tag for all documented impact explanations of this vulnerability.	None	impact (1 or more)
impact	Contains an impact explanation of this vulnerability as published by the source indicated in the "source" attribute. Currently, the only impact explanation source in NVD is NVD.	source (required): The source ("nvd") of this impact explanation	Text containing an explanation of the impact of this vulnerability.
sols	Wrapper tag for all documented solution explanations of this vulnerability.	None	sol (1 or more)
sol	Contains a solution explanation of this vulnerability as published by the sourc indicated in the "source" attribute. Currently, the only solution explanation source in NVD is NVD.	source (required): The source ("nvd") of this impact explanation	Text containing an explanation of the solution to this vulnerability.
loss_types	Wrapper tag for the types of loss that exploitation of this vulnerability can cause. Each child of this element represents a loss type that is specific to this vulnerability.	None	avail (0 or 1) conf (0 or 1) int (0 or 1) sec_prot (0 or 1)
avail	Indicates exploitation of this vulnerability can result in a loss of availability of the target (e.g. denial of service).	None	None
conf	Indicates exploitation of this vulnerability can result in compromised confidentiality on the target machine (e.g. information, data, or memory can be read from the target without appropriate credentials).	None	None
int	Indicates exploitation of this vulnerability can result in a loss of integrity on the target machine (e.g. information, data, or memory can be altered on the target machine without the proper credentials).	None	None
sec_prot	Indicates exploitation of this vulnerability can result in a loss of security protection on the target machine. This element's attributes describe the level of security protection that is lost.	admin: Indicates exploitation of this vulnerability can result in the attacker gaining administrative priveleges on the target machine (always has value "1") user: Indicates exploitation of this vulnerability can result in the attacker gaining user priveleges on the target machine (always has value "1") other: Indicates exploitation of this vulnerability can result in the attacker gaining some other privileges on the target machine (i.e. priveleges bound by those of the program being exploited; always has value "1")	None
vuln_types	Wrapper tag for type descriptors that apply to this vulnerability	None	access (0 or 1) input (0 or 1) design (0 or 1) exception (0 or 1) env (0 or 1) config (0 or 1) race (0 or 1) other (0 or 1)
access	Indicates that this vulnerability takes advantage of an access validation error.	None	None
input	Indicates that this vulnerability takes advantage of an input validation error.	bound: Indicates that this input validation error is more specifically a boundary condition error (always has value "1") buffer: Indicates that this input validation error is more specifically a buffer overflow (always has value "1")	None
design	Indicates that this vulnerability takes advantage of a design error.	None	None
exception	Indicates that this vulnerability takes advantage of an exceptional condition error.	None	None
env	Indicates that this vulnerability takes advantage of an environmental error.	None	None
config	Indicates that this vulnerability takes advantage of a configuration error.	None	None
race	Indicates that this vulnerability takes advantage of a race condition error.	None	None
other	Indicates that this vulnerability takes advantage of some other error.	None	None
range	Wrapper tag for tags describing the attack range of this vulnerability.	None	local (0 or 1) local_network (0 or 1) network (0 or 1) user_init (0 or 1)
local	Indicates that this vulnerability can be exploited by an attacker with local access to the machine. This includes remote terminal access through telnet, SSH, etc.	None	None
local_network	Indicates that this vulnerability can be exploited by an attacker with remote access within the local area network of the machine and the user is specifically not authenticated on the target machine.	None	None
network	Indicates that this vulnerability can be exploited by an attacker with remote access to the machine and is specifically not authenticated on the target machine.	None	None
user_init	Indicates that this vulnerability requires a user on the target computer to access the attacker (i.e. through clicking a malicious hyperlink).	None	None
refs	Wrapper tag for all documented references to this vulnerability.	None	ref (0 or more)
ref	Contains information about a single reference to this vulnerability.	source (required): Source for this reference url (required): Hyperlink to this reference sig: Indicates this reference includes a tool signature (always has value "1") adv: Indicates this reference is a Security Advisory (always has value "1") patch: Indicates this reference includes information for patching this vulnerability (always has value "1")	Text containing the source's name for this vulnerability
vuln_soft	Wrapper tag for a list of software products that are susceptible to this vulnerability.	None	prod (1 or more)
prod	Names a product that is susceptible to this vulnerability and serves as a wrapper tag for the versions of this product that are specifically affected.	name (required): The name of this product vendor (required): The name of this product's vendor	vers (1 or more)
vers	Gives a version number of this product that is susceptible to this vulnerability.	num (required): A version number of this product that is susceptible to this vulnerability prev: Indicates that versions of this product released before the indicated version are also affected by this vulnerability (always has value "1") edition: An edition of this product that is susceptible to this vulnerability	None

*NVD Date Format Mask
Dates in NVD XML feeds are formatted using the following mask: yyyy-mm-dd