Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 8/29/2015 10:29:14 AM

CVE Publication rate: 19.2

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 9.81
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
 

CWE - Common Weakness Enumeration

The Common Weakness Enumeration Specification (CWE) provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture. Each individual CWE represents a single vulnerability type. CWE is currently maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). A detailed CWE list is currently available at the MITRE website; this list provides a detailed definition for each individual CWE.

All individual CWEs are held within a hierarchical structure that allows for multiple levels of abstraction. CWEs located at higher levels of the structure (i.e. Configuration) provide a broad overview of a vulnerability type and can have many children CWEs associated with them. CWEs at deeper levels in the structure (i.e. Cross Site Scripting) provide a finer granularity and usually have fewer or no children CWEs. The image to the right represents a portion of the overall CWE structure, the red boxes represent the CWEs being used by NVD. (click to enlarge).

NVD integrates CWE into the scoring of CVE vulnerabilities by providing a cross section of the overall CWE structure. NVD analysts score CVEs using CWEs from different levels of the hierarchical structure. This cross section of CWEs allows analysts to score CVEs at both a fine and coarse granularity, which is necessary due to the varying levels of specificity possessed by different CVEs. The cross section of CWEs used by NVD is listed below; each CWE listed links to a detailed description hosted by MITRE. For a better understanding of how the standards link together please visit: MITRE - Making Security Measurable

CWE is not currently part of the Security Content Automation Protocol (SCAP). NVD is using CWE as a classification mechanism that differentiates CVEs by the type of vulnerability they represent.

Related Activities


CWE Cross Section Mapped into by NVD
Name CWE-ID Description
Authentication Issues CWE-287 When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
Buffer Errors CWE-119 The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
Code CWE-17 Weaknesses in this category are typically introduced during code development, including specification, design, and implementation.
Code Injection CWE-94 The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Command Injection CWE-77 The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Configuration CWE-16 Weaknesses in this category are typically introduced during the configuration of the software.
Credentials Management CWE-255 Weaknesses in this category are related to the management of credentials.
Cross-Site Request Forgery (CSRF) CWE-352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Cross-Site Scripting (XSS) CWE-79 The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Cryptographic Issues CWE-310 Weaknesses in this category are related to the use of cryptography.
Data Handling CWE-19 Weaknesses in this category are typically found in functionality that processes data.
Format String Vulnerability CWE-134 The software uses externally-controlled format strings in printf-style functions, which can lead to buffer overflows or data representation problems.
Improper Access Control CWE-284 The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Indicator of Poor Code Quality CWE-398 The code has features that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained.
Information Leak / Disclosure CWE-200 An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
Information Management Errors CWE-199 Weaknesses in this category are related to improper handling of sensitive information.
Injection CWE-74 The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Input Validation CWE-20 The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Insufficient Information NVD-CWE-noinfo There is insufficient information about the issue to classify it; details are unkown or unspecified.
Insufficient Verification of Data Authenticity CWE-345 The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Link Following CWE-59 The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Location CWE-1 Weaknesses in this category are organized based on which phase they are introduced during the software development and deployment process.
Numeric Errors CWE-189 Weaknesses in this category are related to improper calculation or conversion of numbers.
OS Command Injections CWE-78 The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Other NVD-CWE-Other NVD is only using a subset of CWE for mapping instead of the entire CWE, and the weakness type is not covered by that subset.
Path Equivalence CWE-21 Weaknesses in this category can be used to access files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence).
Path Traversal CWE-22 The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Permissions, Privileges, and Access Control CWE-264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Race Conditions CWE-362 The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
Resource Management Errors CWE-399 Weaknesses in this category are related to improper management of system resources.
Security Features CWE-254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Source Code CWE-18 Weaknesses in this category are typically found within source code.
SQL Injection CWE-89 The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Time and State CWE-361 Weaknesses in this category are related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads.