National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Known Affected Software Configurations

This section of the vulnerability detail page is used to show what software or combinations of software are considered to be vulnerable at the time of analysis. The NVD uses the Common Platform Enumeration (CPE) 2.3 specification when creating these applicability statements and the matching CPE URI[s].
Applicability statements are a way to communicate which products are vulnerable in a relatively flexible syntax. Unfortunately, this was designed primarily for being processed by machines which is less easy to digest for human readers. Due to this we have made attempts to represent this information in a more human readable way while still reflecting the products as they exist in the CPE Dictionary.

Configurations

A configuration is a container that holds a set of nodes which then contain CPE URI Match Criteria. Configurations consist of three different types.
 
Basic A single node containing one or more sets of match criteria. This configuration type communicates that each CPE URI that matches the match criteria is considered vulnerable.
Running On/With A combination of nodes containing both vulnerable and non-vulnerable match criteria. This configuration type communicates that CPE URIs that match the match criteria from both nodes must be present before a vulnerability applies.
Advanced A complex combination of nodes with many enumerations based on the CPE 2.3 specification. Advanced configurations are displayed with the actual nodes and node values on the vulnerability detail page instead of in a simplified form such as the Basic and Running On/With configuration types. 
 

Match Criteria

Applicability statements are made to withstand changes to the Official CPE Dictionary without requiring consistent maintenance. CPE Match criteria comes in two forms CPE Match Strings and CPE Match String Ranges. Each of these are abstract concepts that are then correlated to CPE URIs in the Official CPE Dictionary. Match criteria are displayed in bold text within a configuration node.

CPE Match Strings

A CPE Match string is a single CPE URI string that correlates to one or many CPE URIs in the Official CPE Dictionary. When a match string has the bug icon next to it, all matching CPE URIs are considered vulnerable. You can click the caret below a CPE Match String to see the CPE URIs in the dictionary that match.

CPE Match String Range

A CPE Match String Range is very similar to the CPE Match String, but instead of having a single version assignment, it can have both a start and end version assignment. CPE Match String Ranges can represent <, >, <=, >= within a boundary.  Instead of listing out a match string for all versions of a product between 17.011.30059 and 17.011.30099 a CPE Match string range will have a start version of 17.011.30059 and an end version of 17.011.30099. When a CPE Match String Range has the bug icon next to it, all matching CPE URIs are considered vulnerable. You can click the caret below a CPE Match String Range to see the CPE URIs in the dictionary that match.
 
  1. The base match string. This is combined with the Start/End version to identify matched CPE URIs
  2. The Start version. “From (including) is the same as “>=”
  3. The End version. “Up to (including)” is the same as “<=”
  4. Vulnerable identifier

CPE URI

A Common Platform Enumeration Uniform Resource Identifier is a unique string used to identify a specific enumeration of a product. Once a product is identified, a CPE URI must be submitted and approved to the Official CPE Dictionary for it to show up in the results of any applicable match criteria. CPE URIs are displayed in italic text and are hyperlinks to the applicable CPE Detail page.
CPE URIs can be deprecated for multiple reasons, this means that the unique string is no longer considered accurate and instead a different string should be used. When a deprecated CPE URI matches, it is displayed with strikethrough text and the resulting appropriate CPE URI is indented underneath.

CPE Match string or URI missing?

Let us know! Public Information on vulnerabilities changes daily, please contact the NVD team using the alias cpe_dictionary@nist.gov and we will work to resolve any data issues as time and resources allow.