Understanding Vulnerability Detail Pages

Descriptions

These serve as a summary of the vulnerability and can include information such as the vulnerable product, impacts, attack vector, weakness or other relevant technical information. At times, CVEs may display a Current Description and Analysis Description, for example:

Image of CVE Description

Current Descriptions are the descriptions that are available at the time of viewing, which may be different than the descriptions when analysis was last performed. Analysis Descriptions are the descriptions that were available at the time of NVD analysis. The image above displays a vulnerability with both. The Current Description is shown by default with the option to click ‘+’ to display the Analysis Description.

The descriptions associated with a vulnerability are submitted through the CVE List and are maintained by the CVE Assignment Team through coordination with CNAs (CVE Numbering Authorities). The NVD has no control over CVE descriptions, they are maintained by the CVE Assignment Team. If you feel that the information is inaccurate, please contact them using the form at https://cveform.mitre.org/.

Severity

The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. Each vulnerability is associated a CVSS v2 and CVSS v3 vector string. CVSS vector strings consist of exploitability and impact metrics. These metrics can be used in an equation to determine a number ranging from 1-10. The higher the number, the higher the severity of the vulnerability. The CVSS specifications are available from the FIRST website and can be referenced at https://www.first.org/cvss/specification-document.

The NVD displays CVSS information based on the results of NVD analysis. Additionally, if the CNA of the CVE record has provided CVSS information via the CVE List it will be displayed as well. In the event the CVSS information provided by both the NVD and the CNA matches, only the CNA provided CVSS information is displayed. Users can select which CVSS version they would like to view by using the button toggles.

Image of Severity

References

These URLs are supplemental information relevant to the vulnerability, which include details that may not be present in the CVE Description. References are given resource tags such as third-party advisory, vendor advisory, technical paper, press/media, VDB entries, etc. These tags can help users quickly categorize the type of information each reference contains. References for a CVE are provided through the CVE list, the NVD does not have direct control over them. If you have concerns with existing CVE references or find other publicly available information that would be useful, then you can submit a request using the form at https://cveform.mitre.org/ for the CVE Assignment Team to review.

Image of References

Weakness Enumeration

The NVD uses Common Weakness Enumeration (CWE), which was created to identify common software security weaknesses. The CWE list took community initiative of organizations and researchers to create specific definitions for each security flaw. The NVD uses the CWE-1003 view when associating CWEs to vulnerabilities. Known as “Weaknesses for Simplified Mapping of Published Vulnerabilities”, this subset of CWEs was selected through coordination between the NVD and the CWE team. If the CNA of the CVE record has provided CWE information via the CVE List it will be displayed in this section along with the CWE[s] associated through NVD analysis.

Image of Weakness

Known Affected Software Configurations

This section of the vulnerability detail page is used to show what software or combinations of software are considered vulnerable at the time of analysis. The NVD uses the Common Platform Enumeration (CPE) 2.3 specification when creating these applicability statements and the matching CPE URI[s]. Applicability statements are a way to communicate which products are vulnerable in a relatively flexible syntax. This was designed primarily to be processed by machines and thus is not easy to digest for human readers. We have made attempts to represent this information in a more human readable way while still reflecting the products as they exist in the CPE Dictionary. Configurations are labeled numerically, however, there is no configuration considered to be of greater importance than the others. Each configuration communicates which products, platforms and/or hardware are thought to be vulnerable.

Configurations

A configuration is a container that holds a set of nodes which then contain CPE URI Match Criteria. Configurations consist of three different types.

Basic A single node containing one or more sets of match criteria. This configuration type communicates that each CPE URI that matches the match criteria is considered vulnerable. Image of Basic Configuration
Running On/With A combination of nodes containing both vulnerable and non-vulnerable match criteria. This configuration type communicates that CPE URIs that match the match criteria from both nodes must be present before a vulnerability applies. Image of Running-On Configuration
Advanced A complex combination of nodes with many enumerations based on the CPE 2.3 specification. Advanced configurations are displayed with the actual nodes and node values on the vulnerability detail page instead of in a simplified form such as the Basic and Running On/With configuration types.  Image of Advanced Configuration

Match Criteria

Applicability statements are made to withstand changes to the Official CPE Dictionary without requiring consistent maintenance. CPE Match criteria comes in two forms CPE Match Strings and CPE Match String Ranges. Each of these are abstract concepts that are then correlated to CPE URIs in the Official CPE Dictionary. Match criteria are displayed in bold text within a configuration node.

CPE Match Strings

A CPE Match string is a single CPE URI string that correlates to one or many CPE URIs in the Official CPE Dictionary. When a match string has the bug icon next to it, all matching CPE URIs are considered vulnerable. You can click the caret below a CPE Match String to see the CPE URIs in the dictionary that match.

Image of Match-String
CPE Match String Range

A CPE Match String Range is very similar to the CPE Match String, but instead of having a single version assignment, it can have both a start and end version assignment. CPE Match String Ranges can represent <, >, <=, >= within a boundary. Instead of listing out a match string for all versions of a product between 17.011.30059 and 17.011.30099 a CPE Match string range will have a start version of 17.011.30059 and an end version of 17.011.30099. When a CPE Match String Range has the bug icon next to it, all matching CPE URIs are considered vulnerable. You can click the caret below a CPE Match String Range to see the CPE URIs in the dictionary that match.

  1. The base match string. This is combined with the Start/End version to identify matched CPE URIs
  2. The Start version. “From (including) is the same as “>=”
  3. The End version. “Up to (including)” is the same as “<=”
  4. Vulnerable identifier
Image of Match-Range

CPE URI

A Common Platform Enumeration Uniform Resource Identifier is a unique string used to identify a specific enumeration of a product. Once a product is identified, a CPE URI must be submitted and approved to the Official CPE Dictionary for it to show up in the results of any applicable match criteria. CPE URIs are displayed in italic text and are hyperlinks to the applicable CPE Detail page.

CPE URIs can be deprecated for multiple reasons, this means that the unique string is no longer considered accurate and instead a different string should be used. When a deprecated CPE URI matches, it is displayed with strikethrough text and the resulting appropriate CPE URI is indented underneath.

Image of Match-String and CPEs

Image of Match-Range and CPEs

CPE Match String or URI Missing?

Let us know! Public Information on vulnerabilities changes daily, please contact the NVD team using the alias cpe_dictionary@nist.gov and we will work to resolve any data issues as time and resources allow.