National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CPE Ranges

NVD will be making a change to the Vulnerable Product Configurations by adding version ranges.  This should be apparent to the users of NVD data on the vulnerability detail pages and the BETA JSON data feeds.  On the vulnerability detail pages, ranges will be displayed to the user with the option to show which CPEs in the range are present in the Official CPE Dictionary.  The schema for the Beta JSON feeds has been expanded to support ranges.  The “previousVersions” flag has been replaced with additional attributes to express ranges.  The schemas for the XML feeds have not changed. Examples will be provided below.
 
Please note that CPEs will still be able to be listed explicitly as they are done today and a configuration could contain a combination of ranges and explicit CPE strings.
 
If the CPEs enumerated in a range contain gaps, then the missing versions likely need to be approved to the Official CPE Dictionary.  If anyone believes that a range supplied is missing legitimate versions they are encouraged to submit an email to cpe_dictionary@nist.gov with information to assist in populating the CPE dictionary.
Example 1:
Before
cpe:2.3:a:tibco:jasperreports_server:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.3.0:*:*:*:*:*:*:*
After
cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:*:*:* versions from (including) 6.2.0 up to (including) 6.3.0
Example 2:
Before
cpe:2.3:a:oracle:mysql:5.7.19:*:*:*:*:*:*:* & previous
After
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* versions up to (including) 5.7.19
Example 3:
Before: 
"previousVersions" : true
"cpe23Uri" : "cpe:2.3:a:oracle:mysql:5.7.17:*:*:*:*:*:*:*"
After
"cpe23Uri" : "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*"
"versionEndIncluding" : "5.7.17"