National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Vulnerabilities

CVE defines a vulnerability as:
"A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)."
All vulnerabilities in the NVD have been assigned a CVE identifier and thus, abide by this definition.

Using Vulnerabilities within the NVD

  1. Vulnerability Search and Detail Pages
  2. Download vulnerability information for all published CVE vulnerabilities from the NVD Data Feeds

A CVE that is in the **RESERVED** state in the CVE Dictionary will not appear in the NVD. 

 

CVE Statuses in NVD

Received CVE has been recently published to the CVE dictionary and has been received by the NVD.
Awaiting Analysis CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Undergoing Analysis CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Analyzed CVE has had analysis completed and all data associations made. Each Analysis has three sub-types, Initial, Modified and Reanalysis. Analyzed CVEs do not show a banner on the vulnerability detail page. Initial -- used to show the first time analysis was performed on a given CVE. Modified -- used to show that analysis was performed due to a modification the CVE’s information. Reanalysis -- used to show that new analysis occurred, but was not due to a modification from an external source.
Modified CVE has been amended by a source (CVE Primary CNA or another CNA). Analysis data supplied by the NVD may be no longer be accurate due to these changes.
Deferred When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
Rejected CVE has been marked as "**REJECT**" in the CVE Dictionary. These CVEs are in the NVD, but currently do not show up in search results.